The month of May is turning out to be busy for organizations as security vendors have started releasing major security updates to mitigate serious security holes that can be exploited recklessly by attackers. One of the high impact flaws that have been addressed is the Microarchitectural Data Sampling (MDS) flaws evident in Intel’s hardware.
The flaw also known as ZombieLoad has impacted millions of devices powered with Intel. As per a security advisory, Intel mentioned that it has worked with operating system vendors, equipment manufacturers, and other partners to protect devices from attacks arising from MDS. Microsoft, Canonical, Google, and VMWare have already released patches which remediate these set of flaws.
On the other hand, Microsoft and Adobe have published their monthly security release for May, as part of Patch Tuesday. Let’s have a look at the security updates brought out by leading vendors.
Adobe’s May 2019 security release addresses critical vulnerabilities in various products. The updated products include Adobe Acrobat, Adobe Reader, Adobe Media Encoder and Adobe Flash Player.
- APSB19-18: This security update addresses 84 vulnerabilities found in Adobe Acrobat and Adobe Reader, both for Windows and macOS systems. Vulnerabilities included out-of-bounds read, out-of-bounds write, type confusion, heap overflow, buffer error, double free and security bypass flaws. The out-of-bounds flaws could lead to information disclosure(ID), while the other critical ones allowed arbitrary code execution (ACE).
- APSB19-26: This update patches an ACE flaw found in Adobe Flash Player for Windows, macOS, Linux, as well as Chrome OS. The flaw is fixed in version 22.214.171.124.
- APSB19-29: This update fixes two major flaws found in Adobe Media Encoder for Windows and macOS, which could lead to ID and ACE. The flaws are fixed in version 13.1.
Users are advised to update to the latest versions of all these software immediately.
Apple has released security updates for this month. These updates fix a number of security flaws found across its software products. This includes watchOS, iOS, macOS, Safari, tvOS, and Apple TV software. The WebKit component, found in Safari browser had the most number of flaws that were fixed with the updates.
Vulnerabilities in the affected products included ACE, authentication bypass, denial-of-service (DoS), and memory corruption flaws. Apple TV Software, which powers Apple TVs prior to those with tvOS, also received updates which remediate ACE and input validation flaws (CVE-2017-14315, CVE-2017-9417, and CVE-2017-6975).
Canonical has published numerous security advisories which fix Linux kernel-related vulnerabilities found in its operating system Ubuntu. These flaws can be mitigated with the latest versions which are mentioned at the end of each advisory. Affected Ubuntu versions are 19.04, 18.10, 18.04 LTS, 16.04 LTS, 14.04 ESM and 12.04 ESM. One of the advisories also address the widely-known Intel MDS flaws, which has been remediated in all the Ubuntu versions except 12.04 ESM.
Other advisories address flaws found in Samba, OpenJDK, VCFtools, and QEMU.
The last seven days sees Cisco release security advisories to address serious vulnerabilities found across many of its devices. Among the vulnerabilities addressed, two( CVE-2019-1804 - Privilege escalation, and CVE-2019-1867 - Authentication bypass) are deemed critical and are fixed with security updates.
Cisco’s popular data center switches Nexus 9000 Series were affected the most. It housed two privilege escalation vulnerabilities and a critical default SSH key flaw. Other products that had major flaws include Cisco Umbrella, Cisco Elastic Services Controller, Cisco IOS XE and Cisco Secure Boot.
Cisco has released software updates for all the products except for Secure Boot - which has impacted millions of hardware components. It is expected to be available in the coming days. Nonetheless, users of all the aforementioned products are advised to update to the latest version, which is indicated in its advisories. The advisories can be found here.
Intel has released 12 security advisories this month. The advisories for various software and hardware products cover critical flaws and their resolutions. Flaws include ID, Dos, and privilege escalation. Products affected with these flaws are Intel Driver & Support Assistant, Intel NUC, Intel i915 Graphics for Linux, Intel Unite Client, Intel Quartus, Intel PROSet WiFi Software, Intel CSME, Intel SPS, Intel DAL, Intel TXE, and Intel AMT. Updates are available to all these products which fix the flaws.
The most notable among the vulnerabilities is the MDS flaw (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091) which has impacted millions of computers. Intel has planned to release the Microcode Updates in the coming days, to remediate this large-scale vulnerability. Meanwhile, Intel has mentioned that it has worked with operating system vendors, equipment manufacturers, and other partners to protect devices from attacks exploiting MDS flaws. Microsoft, Canonical, Google, and VMWare have already released patches which remediate these set of flaws.
Microsoft has announced the massive May 2019 security release. This batch contains security updates for a wide range of products. A total of 79 security vulnerabilities are patched. The products covered are Adobe Flash Player, Microsoft Windows, Internet Explorer, Microsoft Edge, Microsoft Office, Team Foundation Server, Visual Studio, Azure DevOps Server, SQL Server, .NET Framework, .NET Core, ASP.NET Core, ChakraCore, Online Services, Azure, NuGet and Skype for Android.
The updates also address a serious zero-day flaw - CVE-2019-0863, which was exploited to gain elevated access from Microsoft accounts. Likewise, software updates to mitigate Intel MDS flaws were also released.
NVIDIA has released a software security update for its GPU Display Driver. This update addresses three flaws that could lead to DoS, privilege escalation, ACE, or ID. The three flaws(CVE‑2019‑5675, CVE‑2019‑5676, and CVE‑2019‑5677) impact drivers of NVIDIA’s popular products such as GeForce, Quadro, NVS and Tesla. Among the flaws, CVE‑2019‑5675 is the most severe with a CVSS score of 7.7.
Users are recommended to update to the latest versions mentioned here.
ERP software provider SAP has published eight Security Notes yesterday. Out of the vulnerabilities addressed in them, only one was rated high-priority with the rest being rated ‘medium’. Vulnerability types covered in the Security Notes are missing authorization checks, ID and privilege escalation. The high-priority flaw was, in fact, a privilege escalation vulnerability that existed in SAP Identity Management’s REST interface.
SAP products affected by the flaws are SAP BusinessObjects BI platform/ Central Management Server, SAP Treasury and Risk Management, SAP E-Commerce, SAP Solution Manager, SAP ABAP.
In addition, SAP released five follow-up updates to previously released Security Notes.
Siemens has issued a total of 13 new advisories for this month. These advisories address multiple critical vulnerabilities found in SCALANCE, LOGO, SINAMICS Perfect Harmony, SIMATIC, SIMOCODE, and other industrial product range. A product from SCALANCE and SIMATIC had the most critical vulnerability (CVSS 9.8).
LOGO products were affected by three critical and high-severity flaws including ACE. SINAMICS Perfect Harmony GH180 medium-voltage converters were impacted by two high-severity DoS vulnerabilities.
The vulnerabilities are patched in the recent security updates. Users are advised to update to these latest versions.
VMware has published two security advisories which address Intel MDS flaws, as well as a VMware Workstation flaw. The first advisory covers Hypervisor and OS system-related mitigations for MDS flaws. The second advisory addresses a DLL-hijacking flaw due to improper loading of DLL files in the Workstation application.