BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
If you're tired of BlueKeep, well now there's DejaBlue to keep you company.
August Patch Tuesday landed without the fanfare of public disclosures or zero-days that have been the norm the last few months. However, new bugs in Remote Desktop Services (RDS) caused Microsoft to sound the alarm about the potential for a new outbreak on unprotected Windows systems.
Simon Pope, Microsoft Security Response Center's director of incident response, detailed the dangers associated with two remote code execution exploits (CVE-2019-1181 and CVE-2019-1182) in RDS, for all supported versions of Windows client and server systems except for Windows Server 2008.
"These vulnerabilities were discovered by Microsoft during hardening of Remote Desktop Services as part of our continual focus on strengthening the security of our products," Pope wrote. "At this time, we have no evidence that these vulnerabilities were known to any third party." Remote Desktop Protocol (RDP) was not affected in these two CVEs, he added.
Simon PopeDirector of incident response, Microsoft Security Response Center
Customers should apply patches for these "wormable vulnerabilities" as soon as possible, Pope said, language similar to how he described the BlueKeep vulnerability in May. Due to the critical rating of these CVEs, the exploits do not require authentication and can hop to other unpatched systems across a network without interaction from a user. Enabling network-level authentication can help but will not stop an attacker with valid credentials. Network-level authentication is a Windows feature that prevents an unauthorized user from starting an RDP session.
Security researcher Kevin Beaumont, who coined the term BlueKeep, combined these two critical CVEs along with five tangentially related CVEs from August Patch Tuesday and called it DejaBlue, based on a suggestion on Twitter. The five other CVEs (CVE-2019-1222, CVE-2019-1223, CVE-2019-1224, CVE-2019-1225 and CVE-2019-1226) only affect Windows 10 and Windows Server 2019. CVE-2019-1223 differs from the others in that it deals with an RDP exploit. There are no known exploits for these vulnerabilities at the moment, Beaumont noted, but users should patch their systems soon.
"Anyhoo my message is keep calm and patch. ... [T]he usual race between patching to patch reversing has begun, y'all can win that race," Beaumont wrote on Twitter.
Client-side bug fixed in Microsoft Word
In total, Microsoft closed 93 unique vulnerabilities in its August Patch Tuesday security updates, with 29 rated critical and 64 labeled important. A client-side vulnerability that will catch the attention of administrators is a critical bug in Microsoft Word that uses Outlook to launch attacks.
CVE-2019-1201 is a remote code execution vulnerability in Word caused by improper handling of objects in memory. Because the Outlook preview pane is the attack vector, a user just needs to preview the Word document in the mail client for the exploit code to run. The attacker could then use a specially crafted file to run actions based on the permission level of the affected user.