This content is part of the Essential Guide: Stay informed about Microsoft security patches in 2019
News Stay informed about the latest enterprise technology news and product updates.

August Patch Tuesday corrects new 'wormable' exploits

Administrators weighed down by news of the BlueKeep vulnerability will have to contend with a similar bug some are calling DejaBlue.

If you're tired of BlueKeep, well now there's DejaBlue to keep you company.

August Patch Tuesday landed without the fanfare of public disclosures or zero-days that have been the norm the last few months. However, new bugs in Remote Desktop Services (RDS) caused Microsoft to sound the alarm about the potential for a new outbreak on unprotected Windows systems.

Simon Pope, Microsoft Security Response Center's director of incident response, detailed the dangers associated with two remote code execution exploits (CVE-2019-1181 and CVE-2019-1182) in RDS, for all supported versions of Windows client and server systems except for Windows Server 2008.

"These vulnerabilities were discovered by Microsoft during hardening of Remote Desktop Services as part of our continual focus on strengthening the security of our products," Pope wrote. "At this time, we have no evidence that these vulnerabilities were known to any third party." Remote Desktop Protocol (RDP) was not affected in these two CVEs, he added.

These vulnerabilities were discovered by Microsoft during hardening of Remote Desktop Services as part of our continual focus on strengthening the security of our products. At this time, we have no evidence that these vulnerabilities were known to any third party.
Simon PopeDirector of incident response, Microsoft Security Response Center

Customers should apply patches for these "wormable vulnerabilities" as soon as possible, Pope said, language similar to how he described the BlueKeep vulnerability in May. Due to the critical rating of these CVEs, the exploits do not require authentication and can hop to other unpatched systems across a network without interaction from a user. Enabling network-level authentication can help but will not stop an attacker with valid credentials. Network-level authentication is a Windows feature that prevents an unauthorized user from starting an RDP session.

Security researcher Kevin Beaumont, who coined the term BlueKeep, combined these two critical CVEs along with five tangentially related CVEs from August Patch Tuesday and called it DejaBlue, based on a suggestion on Twitter. The five other CVEs (CVE-2019-1222, CVE-2019-1223, CVE-2019-1224, CVE-2019-1225 and CVE-2019-1226) only affect Windows 10 and Windows Server 2019. CVE-2019-1223 differs from the others in that it deals with an RDP exploit. There are no known exploits for these vulnerabilities at the moment, Beaumont noted, but users should patch their systems soon.

"Anyhoo my message is keep calm and patch. ... [T]he usual race between patching to patch reversing has begun, y'all can win that race," Beaumont wrote on Twitter.

Client-side bug fixed in Microsoft Word

In total, Microsoft closed 93 unique vulnerabilities in its August Patch Tuesday security updates, with 29 rated critical and 64 labeled important. A client-side vulnerability that will catch the attention of administrators is a critical bug in Microsoft Word that uses Outlook to launch attacks.

CVE-2019-1201 is a remote code execution vulnerability in Word caused by improper handling of objects in memory. Because the Outlook preview pane is the attack vector, a user just needs to preview the Word document in the mail client for the exploit code to run. The attacker could then use a specially crafted file to run actions based on the permission level of the affected user.

Dig Deeper on Enterprise infrastructure management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How do you lock down your Remote Desktop Services and Remote Desktop Protocol usage?
I would change the port from 3389 to some other port, configure firewall to accept only that port. 

Also would disable rdp services on client PC's not needing rdp. 

Set NLA for RDP on all clients and servers. Should work ! 
Consider using RDPGuard.  It tracks who attempts to log onto your system via RDP and then blocks them via IP if they enter too many incorrect logons.
As far as I can understand RDPGuard, it won't protect against #BlueKeep as it won't use a Brute Force Attack, am I right?
I've got old Windows XP workstation used in OT so I cannot upgrade or update them (multiple reasons).
The Terminal Service in Windows XP can be disabled but not shutdown unless there's a reboot, and of course I cannot reboot.
One solution we may have found is to apply a GPO "allow users to connect remotely using Remote Desktop Services" and select disable. Port TCP/3389 becomes therefore unreachable. RDPScan (to check the #BlueKeep vulnerability) times-out as it cannot connect to this PC anymore.
Do you agree with this mitigation/solution?