Everything You Need to Know About the May 2019 Patches and Vulnerabilities
Headlines about data breaches and potential vulnerabilities are a common occurrence. So much so that we are now hearing regular reports of data breach fatigue, especially after high-profile stories like the recent Facebook data exposure or the Marriott hack. But the past week has been especially difficult with several software vendors announcing a significant number of patches.
Often older software is still in use because of the systems it supports are hard to upgrade like an MRI scanner running Windows XP. Key vendors including Microsoft, Adobe, Citrix, Cisco and Apple each released multiple patches for newly identified vulnerabilities.
How can you stay on top of these patches, ensure you are proactively protecting your organisation and identify all the devices that need to be updated? We have put together a quick roundup of all the patches which have been announced which should make it easier to stay up to date.
It is important to understand that this week’s activity will not be a one-off event. As organisations add more complexity into their environments, solutions are required to help simplify large-scale patching of software, operating systems, mobile devices, servers and routers. Understanding your IT estate is the essential first step in creating a secure technology landscape.
This week you need to ensure you patch:
- Windows XP through to Server 2008[1]
- Adobe
- Apple iOS, macOS and Safari
- Citrix
- Cisco
If any of those vendors are part of your ecosystem, here are important resources and deep dive articles to help you quickly sort through the most pressing patches.
Windows XP through to Server 2008 (79 fixes)
The Microsoft patches were extensive but one of the biggest issues was around the release of several patches for operating systems that are no longer supported, such as Windows XP, due to a vulnerability that may allow for remote code execution (CVE-2019-0708 RDP also known as BlueKeep). This is particularly important to take care of immediately as vulnerabilities in Windows XP were part of the reason that WannaCry ransomware spread so quickly. When patches for older software are released, it is also important to review your entire estate including offline VM’s you may periodically activate, since it can be easy to forget to include them in the broad updates.
Recommended resources to learn more about the recent Microsoft patches, the most important to prioritise and other best practices:
Wired: Microsoft’s First Windows XP Patch In Years Is A Very Bad Sign
ZDNet: Microsoft May 2019 Patch Tuesday arrives with fix for Windows zero-day, MDS attacks
Computerworld: Critical updates to IE and Windows, make for an urgent May Patch Tuesday
Naked Security by Sophos: UPDATE NOW! Critical, remote, ‘wormable’ Windows vulnerability
Adobe (86 fixes)
Adobe also released a long list of patches and potential vulnerabilities this week, many of them focused on Flash Player and Reader. Implement your patches immediately and categorise which old Adobe Creative Cloud applications you may have running.
Recommended resources and background:
Adobe: Security Bulletins and Advisories
Threatpost: Adobe Addresses Critical Adobe Flash Player, Acrobat Reader Flaws
iOS / Apple (173 fixes)
Some of the patches released for Apple were tied to a recently-discovered Intel vulnerability being dubbed “ZombieLoad,” where an attacker could access data directly from Intel processors made since 2011. This group of vulnerabilities is similar to Spectre and Meltdown, although AMD and ARM don’t appear to be affected. It’s important to patch your Macs (and Windows devices since this was included in the same batch of patches as BlueKeep) immediately. The other patches address multiple flaws or issues for iOS, macOS and Safari. With the high number of items that require patches from Apple, this is when a comprehensive and up-to-date inventory of hardware, software and applications running on your network is essential.
Resources:
Threatpost: Apple Patches Intel Side-Channel Bugs; Updates iOS, macOS and More
Snow Community: Current Intel Vulnerability – a quick one on gathering info for your security team!
Tom’s Guide: ZombieLoad Attacks May Affect All Intel CPUs Since 2011: What to Do Now
Citrix
This issue may not have garnered as much attention with the Microsoft, Adobe and Apple patches, but is incredibly important to address since this is also tied to the BlueKeep vulnerability. The vulnerability is tied to Citrix’s Workspaces application and could allow an attacker read/write access to local drives. Citrix recommends that users should upgrade to version 1904 or later.
Citrix: Remote Code Execution Vulnerability in Citrix Workspace app and Receiver for Windows
The Register: Microsoft emits free remote-desktop security patches for WinXP to Server 2008 to avoid another WannaCry
Cisco
Researchers released findings of a new Cisco router vulnerability this week that has potentially devastating results if exploited. The vulnerability could allow attackers to take control of a router. While there are a series of patches that have been released for some products, there are still a number of fixes that won’t be available until later this year.
Resources:
Wired: A Cisco Router Bug Has Massive Global Implications
HelpNetSecurity: High-risk vulnerability in Cisco’s secure boot process impacts millions of devices
Cisco: Cisco IOS XE Software Web UI Command Injection Vulnerability
Complexity increasingly makes handling large patching or version upgrades challenging – but the likelihood that this will get easier any time soon is low. And while there has been so much evolution in IT, organisations are still at the mercy of hardware and software vendors actively communicating these fixes with them. That’s why it’s important to have a process and inventory in place that helps you clearly understand exactly what you have and how to prioritise your actions.
Good luck with the patching!
[1] Note – if you use Sophos AV products, be mindful of some issues the latest Microsoft patches are causing with Sophos’ tools. The advice is to reach out to Sophos directly to troubleshoot.