Microsoft issued the August 2019 Security Updates on Tuesday that include 93 unique vulnerability fixes, 29 of those rated critical. In addition, two of the patches address two critical Remote Code Execution (RCE) “wormable” vulnerabilities (CVE-2019-1181 and CVE-2019-1182) in Remote Desktop Services.
The updates address multiple Microsoft products to include:
- Active Directory
- ChakraCore
- Edge
- Internet Explorer
- Microsoft Dynamics
- Microsoft Office and Microsoft Office Services and Web Apps
- Online Services
- Visual Studio
- Windows.
Microsoft has provided patches for the vulnerabilities for each of the CVEs summarized in the August 2019 Security Updates Release Notes.
Remote Code Execution vulnerabilities
Likely the highest priority of the Critical patches address two Remote Code Execution vulnerabilities (CVE-2019-1181 and CVE-2019-1182) in Remote Desktop Services that Microsoft describes as “wormable.”
In other words, future malware could exploit these bugs and propagate between vulnerable computers without any user interaction, similar to BlueKeep CVE-2019-0708.
“It is important that affected systems are patched as quickly as possible because of the elevated risks associated with wormable vulnerabilities like these,” Microsoft noted in a blog post.
In addition, two other Critical pre-authentication RCE vulnerabilities CVE-2019-1222 and CVE-2019-1226 also impact Remote Desktop Services. All four can be exploited without authentication and no user interaction.
Security researcher Kevin Beaumont (who named BlueKeep) wrote about these RDP-related vulnerabilities and three others in a blog post Tuesday. In the post, he referred to them collectively as the “Seven Monkeys” that affect modern versions of Windows. Whereas BlueKeep impacted legacy versions of Windows.
Also, Microsoft provided multiple other RCE patches to include: Hyper-V (CVE-2019-0720 and CVE-2019-0965), Windows DHCP Client (CVE-2019-0736), and Windows 2008’s DHCP Server (CVE-2019-1213).
In all, Microsoft patched 29 Critical vulnerabilities, all of them RCE bugs.
Rounding out the other types of issues included in this month’s patch update:
- 23 Elevation of Privilege bugs (all rated Important)
- 15 Denial of Service (all rated Important)
- 16 Information Disclosure (15 Important, 1 Low)
- 4 Security Feature Bypass (3 Important, 1 Low)
- 2 Spoofing (each rated Important)
- 1 Tampering (Important).
One of the Important patches fix an Elevation of Privilege vulnerability CVE-2019-1162 that exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC).
Finally, check out Microsoft’s August Security Update for additional details on all patches.