Microsoft fixes Intel ZombieLoad bug with Patch Tuesday updates

Microsoft’s May 2019 Patch Tuesday fixed 79 vulnerabilities, 19 of which are classed as Critical. Here’s a summary of the most notable ones. 

ZombieLoad

The update fixed a processor logic flaw (CVE-2018-12130) that allows computer programs to steal each others’ data.

Discovered by researchers at the Graz University of Technology and KU Leuven, the attack is able to read data between different threads, which are separate programs running on the same physical computer core.

ZombieLoad is known as a Microarchitectural Data Sampling (MDS) vulnerability, and it shares some characteristics with Spectre and Meltdown, the two side channel attacks announced in January 2018. It is a flaw in Intel processor hardware, meaning that it affects any operating systems running on x86 chips, including Windows. It uses Intel’s speculative execution feature to pilfer other programs’ data. As Microsoft explained in the note associated with the patch:

In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another.

The attack affects both desktop and server-based systems, although exploiting it isn’t trivial. Someone would need to run a malicious app on the target system.

Microsoft’s patch joins other fixes from companies including Apple and Google. It provides a software workaround until Intel fixes the bug in future processor releases. The patch probably won’t affect performance on consumer systems, said the advisory.

Just as with the software fixes for Spectre and Meltdown, then, the people feeling any performance hit from the software patch will be server customers. Microsoft says that to get full protection, server admins might have to disable the Hyperthreading functionality that the attack exploits.

Windows Server

Microsoft included several fixes for critical vulnerabilities that could enable an attacker to run code remotely on a target system. These include CVE-2019-0725, a vulnerability in Windows Server’s DHCP server.

CVE-2019-0708 allows someone sending specially crafted packets to Windows Server’s Remote Desktop Services system to run code on it, even if they are not authenticated on the system. CVE-2019-0708 is so serious that Microsoft has even released patches for its long-unsupported operating systems, Windows 2003 and XP.

For more on this, read our companion article dealing with the potential consequences, affected systems and mitigations for this remote, ‘wormable’ Windows vulnerability.

Another patch fixes CVE-2019-0903, which exploits a problem in Windows Server’s Windows Graphics Device Interface (GDI), and enables an attacker to run code via a malicious web site or file.

Edge and IE 11

The Patch Tuesday releases also fix several critical remote code execution vulnerabilities targeted the Edge and Internet Explorer 11 browsers. Some, including CVE-2019-0911, CVE-2019-0912, CVE-2019-0914, CVE-2019-0924, and CVE-2019-0925, use flaws in Edge’s scripting engine to gain the same privileges as the current user, while CVE-2019-0926 exploits the way that Edge accesses objects in memory.

Microsoft Office

Microsoft also patched CVE-2019-0953, a remote code vulnerability in Microsoft Office which lets an attacker run code as the targeted user by persuading them to open a malicious file. That vulnerability affects both Mac and Windows systems.

Adobe

Adobe’s ADV190012 fixes a critical remote code execution vulnerability in Adobe Flash, and APSB19-29 was released to fix an RCE vulnerability in Adobe Media Encoder.

Patches for a mammoth 84 flaws were released for Adobe Acrobat and Reader on Windows and MacOS, so head to  APSB19-18 for details.