Microsoft's June Patch Release the Largest 'In Recent Memory'
The June edition of Microsoft's monthly security patch rollout addresses 88 common vulnerabilities and disclosures (CVEs), the largest "in recent memory," according to a Trend Micro analyst.
Dustin Childs, a member of Trend Micro's Zero Day Initiative, counted 21 "Critical" patches and one "Moderate" patch in the rollout, which Microsoft released on Tuesday. The remaining patches are all deemed "Important."
Besides Childs' post, another useful listing can be found in this SANS Internet Storm Center post. Cisco's Talos blog also lists the June security patches. Microsoft's Security Update Guide is the official guide, containing 111 pages of line-by-line descriptions.
Vulnerabilities that Are Public
Four Important patches perhaps lead the top of the list this month because they've been publicly disclosed. Public disclosure is an indicator of increased risk, according to Chris Goettl, director of product management for security at Ivanti, because "attackers have had early access to engineer an exploit to take advantage of these vulnerabilities," he indicated by e-mail. For more details, Ivanti plans to hold its usual "Patch Tuesday" online discussion on Wednesday, June 12, with sign-up available here.
Microsoft's four Important vulnerabilities that were publicly disclosed all affect Windows systems. They're listed as follows:
- CVE-2019-0973, an elevation-of-privilege (EOP) flaw in the Windows Installer for all supported Windows systems.
- CVE-2019-1053, an EOP vulnerability in the Windows Shell for all supported Windows systems.
- CVE-2019-1064, an EOP issue associated with the AppX Deployment Service that affects Windows 10, Windows Server 2016 and Windows Server 2019.
- CVE-2019-1069, a Task Scheduler EOP vulnerability in Windows 10, Windows Server 2016 and Windows Server 2019. Trend Micro's Zero Day Initiative published a technical analysis on this particular vulnerability, which leverages the high privileges of Task Scheduler.
Two of the CVEs that are getting patches this month target NT LAN Manager (NTLM) for remote code execution attacks on Windows systems and were discovered by Preempt Security. NTLM is an old authentication protocol used with Exchange and Active Directory Federation Services that's subject to relay attacks, where an attacker is able to leverage a server's challenge-response mechanism to gain access on another server. NTLM is still in use, despite Microsoft's recommendation to use Kerberos instead.
Preempt Security is claiming credit for finding this month's CVE-2019-1019 vulnerability, a NETLOGON security bypass issue that's present in all supported Windows systems. It's also claiming credit for CVE-2019-1040, a Message Integrity Check vulnerability that can be used to downgrade NTLM security on all supported Windows systems.
Preempt Security researchers were able to "bypass all major NTLM protection mechanisms" by leveraging these vulnerabilities, according an announcement by Yaron Zinar, a senior security researcher at Preempt:
These vulnerabilities allow attackers to remotely execute malicious code on any Windows machine or authenticate to any HTTP server that supports Windows Integrated Authentication (WIA) such as Exchange or ADFS. All Windows versions are vulnerable.
Zinar recommended applying Microsoft's patches, but added that configuration changes are needed to be fully protected. He recommended enforcing SMB signing, blocking NTLM version 1, enforcing LDAP/S signing and enforcing EPA. Removing NTLM where it's not needed is also recommended.
Zinar and fellow Preempt Senior Security Researcher Marina Simakov plan to describe these vulnerabilities at the Black Hat USA 2019 event in August.
Caution on Remote Desktop Protocol Use
Even though this month's voluminous security patches likely will keep IT pros busy, organizations should still be proactive regarding last month's Remote Desktop Services (RDS) patch for the so-called wormable "BlueKeep" vulnerability (CVE-2019-0708), according to Goettl.
In addition, they should review their computing environment's use of the Remote Desktop Protocol (RDP). The added reason is that there's a so-called "GoldBrute" botnet that's active, he noted.
"Currently around 1.6 million public facing RDP servers are under the attack of this botnet," Goettl said. "Instead of exploiting a vulnerability, GoldBrute is attacking weak passwords."
IT pros should check their computing environment's RDP configurations and either block RDP or restrict access to it.
"Ideally blocking RDP at the perimeter is best," Goettl said. "Restricting access to over a VPN controls the exposure of RDP more. Enabling Network Level Authentication can help mitigate BlueKeep. Ensure any credentials available over RDP have strong passwords that are changed regularly."
More details about the GoldBrute botnet can be found in this Kaspersky Threatpost story.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.