Microsoft's August Security Patches Address New RDP Vulnerabilities

Microsoft on Tuesday released August security updates, addressing about 93 common vulnerabilities and exposures (CVEs).

This month's patch bundle is actually considered to be a "light load," according to Chris Goettl, director of product management for security at Ivanti. Moreover, the release is somewhat notable for having no fixes for zero-day exploits this month.

"Microsoft resolved a total of 93 unique CVEs this month, but surprisingly there are NO zero days OR publicly disclosed vulnerabilities!" Goettl stated in an e-mail. "It has been long time since I remember that happening."

Ivanti plans to hold a patch Tuesday online discussion session concerning this month's security updates on Wednesday, Aug. 14, which requires registration to attend. Microsoft's ultimate source for patchers is its "Security Update Guide," which this month consists of 118 mind-numbing pages.

Security analysts sometimes differ on their patch counts. Cisco's Talos security researchers tallied 97 Microsoft software vulnerabilities this month, with 31 rated "Critical," 65 deemed "Important" and one labeled "Moderate."

RDP-Associated Patches
There's a familiar theme in the August security updates, namely holes associated with Remote Desktop Protocol (RDP). Microsoft this month warned about "BlueKeep" (CVE-2019-0708) exploits now being available to attackers, but it also found a few new RDP issues, and they're getting addressed in this month's patch bundle.

For instance, two "Critical"-rated patches this month, for CVE-2019-1181 and CVE-2019-1182, are fixes for potentially "wormable" exploits associated with RDP, similar to the BlueKeep situation. Left unpatched, these two vulnerabilities could be exploited and spread "from vulnerable computer to vulnerable computer without user interaction," warned Simon Pope, director of incident response at the Microsoft Security Response Center, in a Tuesday announcement.

Unlike the BlueKeep exploit, the CVE-2019-1181 and CVE-2019-1182 vulnerabilities don't apply to Windows XP, Windows Server 2003 and Windows 2008. However, newer Windows products are affected.

"The affected versions of Windows are Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions," Pope indicated.

Pope explained that affected Windows systems should be patched quickly "because of the elevated risks associated with wormable vulnerabilities." Organizations using Network Level Authentication, which requires user authentications, offers a "partial mitigation on affected systems," he added.

Dustin Childs of Trend Micro's Zero Day Project counted a total of four Critical RDP-associated patches this month. He added CVE-2019-1222 and CVE-2019-1226 to the mix described by Microsoft. All of these vulnerabilities share the same attack scenario where "an attacker can get code execution at system level by sending a specially crafted pre-authentication RDP packet to an affected RDS server," Childs noted. "If you must have an internet-facing RDP server, patch immediately (and reconsider your server placement)," he advised. 

Other Notable Vulnerabilities
Childs noted a few other Critical vulnerabilities this month. There's a Windows DHCP client remote code execution issue (CVE-2019-0736), which is also potentially wormable. An .LNK remote code execution vulnerability (CVE-2019-1188) requires that users click on a file with the .LNK extension. Microsoft Word has a remote code execution vulnerability (CVE-2019-1201) that can be triggered through the Outlook Preview Pane, so it should be at the top of the patch list, he explained.

Microsoft also issued an Important patch for a Bluetooth Classic device vulnerability (CVE-2019-9506) that lets attackers reduce a key length to 1 byte. It's a flaw noted by the CERT Coordination Center, with a high 9.3 score per the Common Vulnerability Scoring System, even though an attacker would need "specialized hardware" and would have to be within range of a Bluetooth device.

Adobe also released its August patches, addressing 119 CVEs, Childs noted.

Microsoft also issued two advisories this month.

In ADV190023, Microsoft warned about unsafe default configurations in the Lightweight Directory Access Protocol, which is used for querying and updating the Active Directory service. Microsoft is recommending "enabling LDAP channel binding and LDAP signing on Active Directory Domain Controllers" to reduce the chances of potential elevation-of-privilege exploits.

In ADV190014, Microsoft explained that its browser-based Outlook e-mail program could get exploited via an unsigned token for Microsoft Live account users. However, Microsoft has already fixed this problem for those end users.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • First Chromium-Based Edge Browser Beta Release Now Available

    Microsoft Edge Insider Program participants now have access to the Beta Channel release of Microsoft's Chromium-based Edge Web browser on the Windows and Mac platforms.

  • Microsoft Planning To Answer Windows Virtual Desktop Questions Next Week

    Microsoft has set aside time to answer questions about its emerging Windows Virtual Desktop service on Wednesday of next week, according to an announcement.

  • With EPYC Rome Chips, AMD Could Eclipse Intel in Datacenter

    AMD's high-profile EPYC 7002 launch has datacenter analysts wondering if the end of Intel's long reign is nigh.

  • Microsoft Buys jClarity for Azure-Based Java Workloads

    In a bid to support its "continued contributions to open source while driving increased performance for Java workloads on Azure," Microsoft on Monday announced its acquisition of jClarity.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.