Microsoft patched 93 vulnerabilities, including two BlueKeep-like remote code execution (RCE) flaws.
The two flaws, CVE-2019-1181 and CVE-2019-1182, in Remote Desktop Services, are “wormable,” Simon Pope, director of incident response at the Microsoft Security Response Center (MSRC), wrote in a blog post, “meaning that any future malware that exploits these could propagate from vulnerable computer to vulnerable computer without user interaction.”
The flaws affect Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1 and Windows Server 2012 R2, as well as supported Windows 10 versions, but not Windows XP, Windows Server 2003 and Windows Server 2008.
None of the vulnerabilities have been exploited or likely known to third parties; rather, they “were discovered by Microsoft during hardening of Remote Desktop Services as part of our continual focus on strengthening the security of our products,” Pope wrote.
He urged users to patch affected systems quickly “because of the elevated risks associated with wormable vulnerabilities like these.” Fixes are available for download in the Microsoft Security Update Guide.
Noting “partial mitigation on affected systems that have Network Level Authentication (NLA) enabled,” Pope said that “the affected systems are mitigated against ‘wormable’ malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered.”
Among the Patch Tuesday fixes is one for a critical vulnerability, CVE-2019-1201, found in Microsoft Word and which is “due to an improper handling of objects in memory,” said Satnam Narang, senior research engineer at Tenable. “An attacker could exploit this flaw by creating a specially crafted Microsoft Word file and convincing their victim to open the file on a vulnerable system, either by attaching it to a malicious email or hosting it on a malicious website.”
The Outlook Reading/Preview Pane is an attack vector, Microsoft has said, “meaning the vulnerability could be exploited by merely viewing the email without opening an attachment,” Narang explained. “Successful exploitation would allow an attacker to perform actions on the system using the same permissions as the current user."
Calling the patches “a light set of operating system and application security updates,” including 35 CVEs for Server 2008 and 78 CVEs for the Windows 10 updates, Chris Goettl, director of product management, security, Ivanti, expressed surprise that “there are NO zero days OR publicly disclosed vulnerabilities! It has been long time since I remember that happening.”
Like Pope, he advised users to apply patches for the RDP vulnerabilities “immediately.”
Goettl specifically called out CVE-2019-9506, an Encryption Key Negotiation of Bluetooth Vulnerability, a tampering flaw that carries a CVSS score of 9.3. “It requires specialized hardware to exploit, but can allow wireless access and disruption within Bluetooth range of the device being attacked,” said Goettl. “Microsoft provided an update to address the issue, but the new functionality is disabled by default.”