Microsoft has issued patches for 93 vulnerabilities across Windows, Microsoft Browsers, Microsoft Office, and Outlook this Patch Tuesday, 26 of which achieved a ‘critical’ rating.
Somewhat unusually, there are no patches to address currently exploited zero-day vulnerabilities in this month’s updates; however, it is still important to apply the updates as soon as possible as it is unlikely to be long before exploits are developed for the remote code execution vulnerabilities.
Four of the critical vulnerabilities corrected in this month’s round of updates are wormable flaws in Remote Desktop Protocol (RDP), two of which – CVE-2019-1181 and CVE-2019-1182 – affect all versions of Windows. The other two – CVE-2019-1222 and CVE-2019-1226 – affect Windows 10 and Windows Server 2019 and version 1803. These vulnerabilities can be remotely exploited to download malware on vulnerable devices. The flaws can be exploited by sending a specially crafted pre-authentication RDP packet to an affected RDS server.
The flaws are similar to the BlueKeep vulnerability previously disclosed by Microsoft and could be used in a WannaCry-style attack. BlueKeep did not affect the latest Windows versions, so the latest vulnerabilities are potentially more serious, although Remote Desktop is disabled by default in Windows 10.
All four exploits have been given Microsoft’s highest ranking for severity which indicates exploits are likely to be developed in the near future. Another critical flaw- CVE-2019-0736 – is also potentially wormable. These updates should therefore be applied as a priority.
This month has seen several updates issued for Microsoft browsers to address flaws that could be exploited to intercept information and install malware.
There are a further 64 vulnerabilities rated important which affect Microsoft Windows, Dynamics, SharePoint, Outlook, Jet database engine, and the Edge and Internet Explorer browsers.
Adobe has issued patches for 119 security vulnerabilities across its range of products this Patch Tuesday.