Microsoft Patches Over 90 Vulnerabilities With August 2019 Updates

Microsoft Patch Tuesday security updates for August 2019 address more than 90 flaws, including two new ‘ wormable ‘ issues in Windows Remote Desktop Services.

Microsoft Patch Tuesday security updates for August 2019 fix 93 vulnerabilities, including two new ‘ wormable ‘ issues in Windows Remote Desktop Services.

The list of flaws addressed by the tech giant doesn’t include zero-days or publicly disclosed vulnerabilities, 29 issues were rated as ‘Critical’ and affect Microsoft’s Edge and Internet Explorer web browsers, Windows, Outlook and Office.

The Microsoft Patch Tuesday security updates for August 2019 security address flaws in the following products:

Microsoft Windows

Internet Explorer

Microsoft Edge

ChakraCore

Microsoft Office and Microsoft Office Services and Web Apps

Visual Studio

Online Services

Active Directory

Microsoft Dynamics

Four of the critical flaws are remote code execution issues impacting the Remote Desktop Services (RDS). The vulnerabilities are tracked as CVE-2019-1181, CVE-2019-1182, CVE-2019-1222 and CVE-2019-1226.

Microsoft confirmed that the flaws CVE-2019-1181 and CVE-2019-1182 are wormable like the recently patched BlueKeep vulnerability. A wormable flaw could be exploited by malware to propagate from vulnerable computer to vulnerable computer without any user interaction.

“A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction.” reads the security advisory for the CVE-2019-1181.”An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

While the security advisory for the CVE-2019-1182 issue states:

“A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Both vulnerabilities could be exploited by an attacker by sending a specially crafted request to the target systems Remote Desktop Service via RDP. Unlike BlueKeep, the flaws cannot be exploited via the Remote Desktop Protocol (RDP).

The flaws affect Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions. Windows XP, Windows Server 2003, and Windows Server 2008 are not affected.

Simon Pope, Director of Incident Response at the Microsoft Security Response Center (MSRC) revealed that Microsoft found the flaws while was analyzing the security of the RDS package.

“These vulnerabilities were discovered by Microsoft during hardening of Remote Desktop Services as part of our continual focus on strengthening the security of our products. At this time, we have no evidence that these vulnerabilities were known to any third party.” said Pope.

“It is important that affected systems are patched as quickly as possible because of the elevated risks associated with wormable vulnerabilities like these, and downloads for these can be found in the Microsoft Security Update Guide. Customers who have automatic updates enabled are automatically protected by these fixes. “

“These four bugs share the same impact and exploit scenarios. An attacker can get code execution at system level by sending a specially crafted pre-authentication RDP packet to an affected RDS server,” reads a blog post published by ZDI.

Microsoft also addressed another wormable remote code execution flaw in Windows DHCP client (CVE-2019-0736) that could be exploited by sending specially crafted packets to the client, without the need for user interaction or authentication.

“A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine.” reads the advisory.

“To exploit the vulnerability, an attacker could send specially crafted DHCP responses to a client.”

Microsoft also fixed a remote code execution vulnerability ( CVE-2019-1188) in Microsoft Windows that could be exploited by an attacker to achieve remote code execution if a .LNK file is processed.

This issue reminds us of the flaw exploited by the Stuxnet malware back in 2010.

The remaining vulnerabilities have been rated by Microsoft as “important”.

This month, Adobe’s Patch Tuesday security updates addressed a total of 119 vulnerabilities affecting multiple products, including After Effects, Character Animator, Premiere Pro, Prelude, Creative Cloud, Acrobat and Reader, Experience Manager, and Photoshop.

A few hours ago, the popular cyber security expert Tavis Ormandy, white hat hacker at Google’s Project Zero Team, disclosed technical details of 20-year-old vulnerability that is still unpatched .

The vulnerability, rated as high-severity, affects all versions of Microsoft Windows from Windows XP.

Pierluigi Paganini

(SecurityAffairs – Microsoft Patch Tuesday, hacking)