Microsoft’s made its ritual Patch Tuesday announcement, this time taking the unusual step of issuing a patch software that’s no longer supported.
The vulnerability that’s generated the unusual response is CVE-2019-0708, for which Microsoft even penned a separate advisory. The reason for the extra layer of caution is that the flaw is a critical remote code execution vulnerability in Remote Desktop Services that Microsoft says “could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.” And it’s already under attack.
The good news is that Windows 10 and 8 don’t have the flaw. The bad news is that plenty of unsupported Microsoft operating systems do, so the company has urged users of Windows 7, XP, and Server 2008 and 2003 to apply the special patch once it’s rolled out even though those OSes have reached end of life. Microsoft’s overarching security advice is to ditch those old OSes.
The rest of May’s fixes, listed here, address a total of 22 critical-rated flaws.
Another critical vuln, CVE-2019-0725, fixes DHCP server and continues a line of similar patches from recent months. The flaw is under active attack, as is CVE-2019-0863 – a Windows Error Reporting elevation of privilege vulnerability.
Microsoft Word 2016 also received a patch for a critical vulnerability. Detailed here, the remote code execution vulnerability sounds like a phisher’s delight because it allows a specially crafted file to act as a logged-in user.
If you want to prioritise your patching, the Zero Day Initiative helpfully lists all of the patches and their severity ratings here.
Adobe has also issued its monthly patch potpourri. Acrobat and Reader have seven critical flaws to fix, Flash Player has one and Media Encoder also has a sole critical nasty, although all products have many other flaws worth fixing.