Security|Windows 10|Windows 7|Windows 8|Windows Client OS|Windows Server

Patch Tuesday August 2019

This month Microsoft patches ‘wormable’ vulnerabilities in Remote Desktop that it discovered during routine hardening, remote code execution flaws in Edge and IE, and a new advisory for LDAP security is issued for Active Directory.

Windows and Windows Server

This month there’s a series of remote code execution (RCE) vulnerabilities patched in Windows that could allow hackers to obtain full user rights. One of the bugs affects Hyper-V on a host server when it fails to properly validate input from an authenticated user on a guest operating system. An attacker could run a specially crafted application in a guest virtual machine (VM) to force the Hyper-V host to execute arbitrary code. Another problem is fixed where an unauthenticated attacker connects to Windows using RDP and sends specially crafted requests. Microsoft says that this is a pre-authentication vulnerability and doesn’t require any user interaction. It could allow an attacker to execute arbitrary code and obtain full user rights.

Two of the critical RCEs, CVE-2019-1181 and CVE-2019-1182, are wormable; meaning that they could spread laterally around a network and might be used in a future malware attack that wouldn’t require any user interaction. These flaws affect Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and versions of Windows 10 and its server equivalents. Windows XP, Windows Server 2003, and Windows Server 2008 are not affected.

Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

It’s not thought that these vulnerabilities have been exploited in the wild yet. But because of the likelihood they will be exploited and don’t need any user interaction, it’s critical to make sure you get these patches applied as soon as possible.

Another RCE flaw is patched in the way .lnk files are processed. Users with limited rights would be less impacted than those with full administrator access. There’s also a vulnerability in the way the Windows font library handles embedded fonts, potentially letting a hacker obtain full user rights. This flaw could be exploited using a specially crafted website or file attachment.

There are 50 other fixes rated critical, including some more RCE bugs, and a healthy dose of elevation of privilege (EoP) flaws; most of which relate to system DLLs that improperly handle objects in memory. One security feature bypass vulnerability gets patched that lets an attacker inject code into CAB files without invalidating file signatures. Six RCEs are patched in the Microsoft Graphics component, 2 in the Windows DHCP client, and three in scripting engine components.

Microsoft Edge and Internet Explorer

There are 7 critical patches for RCEs in Edge this month involving problems with how objects are handled in memory and that could let an attacker get full user rights. 2 critical RCEs are also patched in Internet Explorer (IE) 11.

Active Directory Advisory

This month, Microsoft has updated its advice about LDAP signing and channel binding. You can find the details here.

Microsoft Office

Office 365 ProPlus gets 4 patches for critical RCEs, again where objects are not handled properly in memory. There are 2 important fixes. One is another RCE flaw and the second is an EoP bug in Outlook that initiates processing of incoming messages without enough validation. It could let an attacker force Outlook to load a local or remote message store.

SharePoint and Exchange

SharePoint gets two critical RCE patches. I’ll let you guess what they involve – hint: objects in memory. There are also two important fixes. One for an information disclosure issue and the second, spoofing.

There’s an EoP vulnerability in Outlook Web Access (OWA) affecting Office 365, Exchange Online, and Outlook.com that could let an attacker get access to another person’s inbox. An attacker would need to replace an unsigned token with a different one. Microsoft says that this vulnerability has been mitigated for all Microsoft Live accounts.

Adobe

It might be hard to believe but this is the second month in a row with no patches for Adobe Flash Player. But there are other fixes for Adobe products, including Photoshop, Acrobat and Acrobat Reader, Creative Cloud, After Effects, and Premiere Pro.

That’s it for this month. Happy patching!

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

 
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: