RDP Flaws in Spotlight with Microsoft's August Patch Rollout
Microsoft addressed about 93 common vulnerabilities and exposures (CVEs) in its August security patch release, issued Tuesday.
According to Chris Goettl, director of product management for security at Ivanti, this patch bundle is actually considered to be a "light load," and notable for having no fixes for zero-day exploits.
"Microsoft resolved a total of 93 unique CVEs this month, but surprisingly there are NO zero days OR publicly disclosed vulnerabilities!" Goettl stated in an e-mail. "It has been long time since I remember that happening."
Ivanti plans to hold a patch Tuesday online discussion session concerning this month's security updates on Wednesday, Aug. 14, which requires registration to attend. Microsoft's ultimate source for patchers is its "Security Update Guide," which this month consists of 118 mind-numbing pages.
Security analysts sometimes differ on their patch counts. Cisco's Talos security researchers tallied 97 Microsoft software vulnerabilities this month, with 31 rated "Critical," 65 deemed "Important" and one labeled "Moderate."
There's a familiar theme in the August security updates, namely holes associated with Remote Desktop Protocol (RDP). Microsoft this month warned about "BlueKeep" (CVE-2019-0708) exploits now being available to attackers, but it also found a few new RDP issues, and they're getting addressed in this month's patch bundle.
For instance, two "Critical"-rated patches this month, for CVE-2019-1181 and CVE-2019-1182, are fixes for potentially "wormable" exploits associated with RDP, similar to the BlueKeep situation. Left unpatched, these two vulnerabilities could be exploited and spread "from vulnerable computer to vulnerable computer without user interaction," warned Simon Pope, director of incident response at the Microsoft Security Response Center, in a Tuesday announcement.
Unlike the BlueKeep exploit, the CVE-2019-1181 and CVE-2019-1182 vulnerabilities don't apply to Windows XP, Windows Server 2003 and Windows 2008. However, newer Windows products are affected.
"The affected versions of Windows are Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions," Pope indicated.
Pope explained that affected Windows systems should be patched quickly "because of the elevated risks associated with wormable vulnerabilities." Organizations using Network Level Authentication, which requires user authentications, offers a "partial mitigation on affected systems," he added.
Dustin Childs of Trend Micro's Zero Day Project counted a total of four Critical RDP-associated patches this month. He added CVE-2019-1222 and CVE-2019-1226 to the mix described by Microsoft. All of these vulnerabilities share the same attack scenario where "an attacker can get code execution at system level by sending a specially crafted pre-authentication RDP packet to an affected RDS server," Childs noted. "If you must have an internet-facing RDP server, patch immediately (and reconsider your server placement)," he advised.
Other Notable Vulnerabilities
Childs noted a few other Critical vulnerabilities this month. There's a Windows DHCP client remote code execution issue (CVE-2019-0736), which is also potentially wormable. An .LNK remote code execution vulnerability (CVE-2019-1188) requires that users click on a file with the .LNK extension. Microsoft Word has a remote code execution vulnerability (CVE-2019-1201) that can be triggered through the Outlook Preview Pane, so it should be at the top of the patch list, he explained.
Microsoft also issued an Important patch for a Bluetooth Classic device vulnerability (CVE-2019-9506) that lets attackers reduce a key length to 1 byte. It's a flaw noted by the CERT Coordination Center, with a high 9.3 score per the Common Vulnerability Scoring System, even though an attacker would need "specialized hardware" and would have to be within range of a Bluetooth device.
Adobe also released its August patches, addressing 119 CVEs, Childs noted.
Microsoft also issued two advisories this month.
In ADV190023, Microsoft warned about unsafe default configurations in the Lightweight Directory Access Protocol, which is used for querying and updating the Active Directory service. Microsoft is recommending "enabling LDAP channel binding and LDAP signing on Active Directory Domain Controllers" to reduce the chances of potential elevation-of-privilege exploits.
In ADV190014, Microsoft explained that its browser-based Outlook e-mail program could get exploited via an unsigned token for Microsoft Live account users. However, Microsoft has already fixed this problem for those end users.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.