Microsoft’s August 2019 Patch Tuesday updates fix more than 90 vulnerabilities, but none of them have been exploited in attacks or disclosed publicly before the patches were released.
“Microsoft resolved a total of 93 unique CVEs this month, but surprisingly there are NO zero days OR publicly disclosed vulnerabilities! It has been a long time since I remember that happening,” commented Chris Goettl, director of product management for security at Ivanti.
Of all the security holes patched this month, 29 are rated “critical.” They impact Microsoft’s Edge and Internet Explorer web browsers, Windows, Outlook and Office.
According to Trend Micro’s Zero Day Initiative (ZDI), four of the critical flaws, all related to Remote Desktop Services (RDS) and all allowing remote code execution, appear to be wormable. These vulnerabilities are CVE-2019-1181, CVE-2019-1182, CVE-2019-1222 and CVE-2019-1226.
“These four bugs share the same impact and exploit scenarios. An attacker can get code execution at system level by sending a specially crafted pre-authentication RDP packet to an affected RDS server,” ZDI explained in a blog post. “If that sounds familiar to you, then you are probably thinking about the recently patched BlueKeep vulnerability. Clearly, the folks in Redmond thought similar bugs existed in RDP, and these four patches demonstrate that fact. These bugs also receive Microsoft’s highest exploitability ranking, meaning we could likely see multiple RDP exploits circulating in the near future.”
A remote code execution vulnerability affecting the Windows DHCP client (CVE-2019-0736) could also be wormable since exploitation only involves sending specially crafted packets to the client, without the need for user interaction or authentication.
Another interesting vulnerability that has been rated critical is related to .lnk files. ZDI says the bug, tracked as CVE-2019-1188, is similar to one exploited by the notorious Stuxnet malware back in 2010. The flaw can be exploited by getting the targeted user to open a remote network share or by placing a malicious LNK file on a USB drive. Experts say it could be efficient for attacking air-gapped systems.
This month’s patches also address a Bluetooth vulnerability related to encryption key negotiation. The flaw is tracked as CVE-2019-9506 and CERT/CC is also expected to publish an advisory for it with the identifier VU#918987.
“[The vulnerability] requires specialized hardware to exploit but can allow wireless access and disruption within Bluetooth range of the device being attacked,” Goettl explained.
The remaining 64 vulnerabilities have been assigned an “important” severity rating by Microsoft. They impact Windows, Dynamics, SharePoint, Edge, Internet Explorer, Outlook, and the Jet database engine.
Adobe’s Patch Tuesday updates for this month resolve 118 vulnerabilities across eight products, including After Effects, Character Animator, Premiere Pro, Prelude, Creative Cloud, Acrobat and Reader, Experience Manager, and Photoshop.