August Patch Tuesday: Remote Vulnerabilities Worm Their Way In

August Patch Tuesday: Remote Vulnerabilities Worm Their Way In

August Patch Tuesday: Remote Vulnerabilities Worm Their Way In

This month, Microsoft reported 29 critical CVEs, including four critical remote code-execution (RCE) vulnerabilities in Remote Desktop Services (RDS) and a critical RCE flaw in Microsoft Word. These RDS bugs are wormable, allowing an exploit to self-propagate from PC to PC without user interaction, thus setting the scene for a global, fast-moving infection wave. Microsoft have warned this issue is similar in nature but easier to exploit than the Bluekeep vulnerability patched in May.

Microsoft provided several operating system and application security updates this month; on the operating system side, 35 CVEs were addressed for Server 2008, and 78 CVEs for the latest Windows 10 updates. There are updates for Office and SharePoint too, and eight updates released from Adobe.

CVE-2019-1181 and -1182

Microsoft resolved 93 unique CVEs this month, with no zero days or publicly disclosed vulnerabilities! The most pressing CVEs this month are the RDP vulnerabilities, so ensure you apply relevant updates as soon as you can. Microsoft calls out two CVEs in particular (CVE-2019-1181, CVE-2019-1182) which could be exploited via a worm attack.  All of the OS updates are rated priority 1 due to critical vulnerability ratings and the potential for remote code execution.

CVE-2019-9506

Another vulnerability of interest is CVE-2019-9506 – “Encryption Key Negotiation of Bluetooth Vulnerability”. CERT/CC has issued CVE-2019-9506 and VU#918987 for this tampering vulnerability, which has a CVSS score of 9.3. It requires specialist hardware to exploit but allows wireless access and disruption within Bluetooth range of the device that is being attacked. Microsoft addressed the issue with an update, but the new functionality is disabled by default. It must be enabled by setting a flag in the registry.

Adobe Updates

If you are a Creative Cloud or Experience Manager user, you should review this month’s bulletins, as multiple issues are rated Critical. Adobe Acrobat updates have also been released, alongside updates for Acrobat Reader (details under APSB19-41). This update for both Windows and macOS fixes 76 vulnerabilities which are all rated as Important.  There are updates for the Continuous, Classic 2015, and Classic 2017 versions of the products. There was a non-security update for Flash, but it was not included with the release from Microsoft.

Options is actively patching any and all vulnerabilities highlighted above – it is always imperative that operating systems and 3rd party software products are kept up to date. Security doesn’t end with vulnerability patching; well-trained employees and a strong supporting security team are also essential. In 2019 we’ve substantially expanded our team and extended our global operational presence, rolling out rigorous training programs across the board alongside numerous platform security enhancements and the deployment of new cybersecurity initiatives to safeguard our clients’ data. For the latest on our Security, Intelligence and Analytics product offering, download our product sheet here.

– Vulnerability Management Team

Leave a Reply

Your email address will not be published. Required fields are marked *