This month Microsoft patches ‘wormable’ vulnerabilities in Remote Desktop that it discovered during routine hardening, remote code execution flaws in Edge and IE, and a new advisory for LDAP security is issued for Active Directory.
Windows and Windows Server
This month there’s a series of remote code execution (RCE) vulnerabilities patched in Windows that could allow hackers to obtain full user rights. One of the bugs affects Hyper-V on a host server when it fails to properly validate input from an authenticated user on a guest operating system. An attacker could run a specially crafted application in a guest virtual machine (VM) to force the Hyper-V host to execute arbitrary code. Another problem is fixed where an unauthenticated attacker connects to Windows using RDP and sends specially crafted requests. Microsoft says that this is a pre-authentication vulnerability and doesn’t require any user interaction. It could allow an attacker to execute arbitrary code and obtain full user rights.
Two of the critical RCEs, CVE-2019-1181 and CVE-2019-1182, are wormable; meaning that they could spread laterally around a network and might be used in a future malware attack that wouldn’t require any user interaction. These flaws affect Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and versions of Windows 10 and its server equivalents. Windows XP, Windows Server 2003, and Windows Server 2008 are not affected.
It’s not thought that these vulnerabilities have been exploited in the wild yet. But because of the likelihood they will be exploited and don’t need any user interaction, it’s critical to make sure you get these patches applied as soon as possible.
Another RCE flaw is patched in the way .lnk files are processed. Users with limited rights would be less impacted than those with full administrator access. There’s also a vulnerability in the way the Windows font library handles embedded fonts, potentially letting a hacker obtain full user rights. This flaw could be exploited using a specially crafted website or file attachment.
There are 50 other fixes rated critical, including some more RCE bugs, and a healthy dose of elevation of privilege (EoP) flaws; most of which relate to system DLLs that improperly handle objects in memory. One security feature bypass vulnerability gets patched that lets an attacker inject code into CAB files without invalidating file signatures. Six RCEs are patched in the Microsoft Graphics component, 2 in the Windows DHCP client, and three in scripting engine components.
Microsoft Edge and Internet Explorer
There are 7 critical patches for RCEs in Edge this month involving problems with how objects are handled in memory and that could let an attacker get full user rights. 2 critical RCEs are also patched in Internet Explorer (IE) 11.
Active Directory Advisory
This month, Microsoft has updated its advice about LDAP signing and channel binding. You can find the details here.
Office 365 ProPlus gets 4 patches for critical RCEs, again where objects are not handled properly in memory. There are 2 important fixes. One is another RCE flaw and the second is an EoP bug in Outlook that initiates processing of incoming messages without enough validation. It could let an attacker force Outlook to load a local or remote message store.
SharePoint and Exchange
SharePoint gets two critical RCE patches. I’ll let you guess what they involve – hint: objects in memory. There are also two important fixes. One for an information disclosure issue and the second, spoofing.
There’s an EoP vulnerability in Outlook Web Access (OWA) affecting Office 365, Exchange Online, and Outlook.com that could let an attacker get access to another person’s inbox. An attacker would need to replace an unsigned token with a different one. Microsoft says that this vulnerability has been mitigated for all Microsoft Live accounts.
It might be hard to believe but this is the second month in a row with no patches for Adobe Flash Player. But there are other fixes for Adobe products, including Photoshop, Acrobat and Acrobat Reader, Creative Cloud, After Effects, and Premiere Pro.
That’s it for this month. Happy patching!