Scala Security Bulletin Regarding May 2019 Security Updates: May 14, 2019
Issue: Microsoft released a set of security updates for many versions of Windows on May 14, 2019. At the time of publishing, Scala, Inc. is not aware of reports of any exploits using these vulnerabilities.
Background:
Microsoft announced a Remote Code Execution vulnerability in certain Windows versions whereby an unauthenticated attacker can exploit affected systems, with the potential of an exploit propagating to other vulnerable machines on a network.
This issue may affect customers running Scala Enterprise Content Manager using an older affected Windows Server version, as well as customers running Scala Enterprise players using an older affected Windows version. Scala's recommended default player and network configuration at time of provisioning prevents direct RDP access, however customers should verify their deployed configuration and patch all potentially vulnerable systems.
Microsoft has released patches for all affected supported versions of Windows (Windows Server 2008, Server 2008R2, and Windows 7), as well as out of support affected Windows versions including XP, XPE, WES2009, Server 2003, Server 2003R2.
Normally, Microsoft security updates work as intended without significant side-effects, but occasionally Microsoft does have to revise updates to address issues caused by their initial release. If you are pressed to deploy these updates, the best practice is to test for compatibility and suitability using representative systems in your own lab. Many customers prefer to wait until the updates have established a successful track record within the wider community before deploying.
Resolution: We recommend that our customers assess the impact of this vulnerability to their deployed network and consult the following Microsoft security resources: