Hot on the heels of several Apple security advisories on Monday, May's Patch Tuesday sees Microsoft fix nearly 80 vulnerabilities across their product line, some of them very serious indeed, and Adobe address over 80 in Acrobat Reader alone. A fix for a critical remote code execution (RCE) vulnerability in Flash was also released, as well as a security update for Adobe Media Encoder that resolves two CVEs.
The most worrisome vulnerability published today is CVE-2019-0708, which affects Windows 7, Windows Server 2008 R2, and Windows Server 2008 systems running Remote Desktop Services (RDS). Microsoft considers this so critical that they've even issued a patch for versions of Windows outside of mainstream support such as Windows XP and Server 2003. This is reminiscent of the EternalBlue exploit leak two years ago (nearly to the day), when Microsoft patched out-of-support versions of Windows against MS17-010 in response to the WannaCry ransomware outbreak. If for some reason timely patching is not an option, mitigations for this include disabling RDS if it's not necessary for regular operations, or ensuring that port 3389 is blocked at the network perimeter. This bug is exploitable by crafting a special RDP message and sending it to an affected system without needing to authenticate, allowing an attacker to take full control of the system with no action required by any legitimate user.
One zero-day was fixed today: CVE-2019-0863, an elevation of privilege vulnerability in Microsoft's crash reporting technology, has been seen exploited in the wild. It allows an unprivileged user to run code in kernel mode, granting them full access if they are able to get an initial foothold on an affected system (for example, by exploiting one of the over 40 RCE vulnerabilities patched today).
CVE-2019-0932 is a previously disclosed bug in Skype for Android, which could allow an attacker to secretly listen to a conversation. The victim would first have to answer a call from the attacker while their phone was paired to a Bluetooth device.
A few additional vulnerabilities worth taking note of include CVE-2019-0725 (RCE in Windows Server DHCP service), CVE-2019-0903 (RCE in the Windows Graphics Device Interface that affects all supported versions of Windows), CVE-2019-0953 (RCE in Microsoft Word, potentially exploitable via the Preview Pane), and CVE-2019-0881 (privilege escalation in the Windows Kernel on all supported versions). The usual suspects of browser technologies, SharePoint, and Microsoft's JET Database Engine also got quite a few fixes each and should all be updated as soon as possible.
Also interesting this month are 4 "Microarchitectural Data Sampling" vulnerabilities, a new subclass of speculative execution side channel vulnerabilities. These are processor-level flaws, affecting various Intel chips independent of the operating system running on them. Microsoft has released detailed guidance for this in their ADV190013 security advisory.
Note: not all CVEs had CVSSv3 data available at the time of writing