This week marks the release of Microsoft’s monthly scheduled updates. With August Patch Tuesday, Microsoft has addressed 93 security flaws. These even include some critical wormable bugs in Windows Remote Desktop Services.
Critical Security Flaws In Windows RDS
Microsoft has addressed at least four different security flaws in Windows Remote Desktop Services. All of these vulnerabilities could allow remote code execution upon exploit.
Describing the vulnerabilities, Microsoft explained that the flaws existed in the way Windows RDS handles connection requests. As stated in the advisories,
A remote code execution vulnerability exists in Remote Desktop Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
The vulnerabilities included CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, and CVE-2019-1226. Of these, Microsoft has categorized the first two as ‘wormable’, just like the BlueKeep vulnerability (CVE-2019-0708) that Microsoft patched with May updates.
All these flaws have received a critical severity rating with a CVSS base score of 9.8. As possible mitigation, Microsoft recommends disabling the Windows Remote Desktop Services when not in use. However, for adequate protection against potential attacks, users must ensure updating their devices with the patches.
Other Microsoft August Patch Tuesday Updates
Apart from the Windows RDS flaws, Microsoft also addressed numerous other vulnerabilities in various products. These include fixes in Microsoft Windows, Microsoft Edge, Internet Explorer, Microsoft Office and Microsoft Office Services and Web Apps, ChakraCore, Visual Studio, Active Directory, Online Services, and Microsoft Dynamics.
Regarding the vulnerabilities, Microsoft addressed 29 critical (including the four discussed above), and 64 important security bugs. Whereas, none of the bugs addressed is of low-severity.
All the critical vulnerabilities could lead to remote code execution upon exploit. These include some memory corruption vulnerabilities in Chakra Scripting Engine (7), Microsoft Outlook (1), and Scripting Engine (2). Also include remote code execution flaws in Microsoft Graphics (6), Microsoft Word (2), and one RCE bug each in Hyper-V, Microsoft Outlook, LNK, Windows Hyper-V, Windows DHCP Client, Windows DHCP Server, and VBScript Engine.
Fortunately, this month’s security update bundle does not report of any publicly disclosed or actively exploited bug.