The October updates for Microsoft products together eliminate 59 vulnerabilities, fixed by Microsoft dangerous error in the RDP code.The developer rated nine of these vulnerabilities as critical, especially the RCE-bug in the remote desktop client application.
This month Microsoft acted modestly: it patched 59 vulnerabilities, and did not give any new security recommendations. Updates were received by Microsoft Windows, Internet Explorer, Edge (on the EdgeHTML engine), ChakraCore, Microsoft Office, including related services and web applications, as well as SQL Server Management Studio, Microsoft Dynamics 365, Windows Update client and open source software”, – writes Dustin Childs on the Zero Day Initiative blog, discussing a new set of patches for the IT industry leader.
Among the critical vulnerabilities, the expert especially noted the RCE-bug of the Remote Desktop Service, which manifests itself on the client side (CVE-2019-1333).
According to Microsoft’s description, exploitation in this case is possible if an attacker manages to convince a user to connect to a malicious server. If this operation is successful, the attacker will be able to send commands to the victim’s machine in order to install programs, view and modify data, or create new accounts with a full set of rights.
Recently, Microsoft has to pay a lot of attention to the security of Windows Remote Desktop Services. In May, developers released a patch for the very dangerous vulnerability CVE-2019-0708, which later became known as BlueKeep. In August was reported about two other RDP issues, similar to BlueKeep.
Fortunately, by contrast, CVE-2019-1333 cannot be exploited without interacting with a potential victim. Despite this, Microsoft considered it critical.
Information security experts also advise paying attention to RCE vulnerabilities in the VBScript scripting engine (CVE-2019-1238 and CVE-2019-1239). They are caused by the possibility of violating the integrity of the memory and allow using any malicious document or application to execute any code in the context of the current user.
These bugs can be used for remote execution of arbitrary code through memory corruption. The user can provoke an exploit by accessing a malicious site through Edge”, – experts of Cisco Talos comment.
Microsoft also fixed a critical privilege escalation bug in the Azure stack (CVE-2019-1372). The culprit of the problem is the Azure application service, which does not check the length when copying data to the buffer. Successful operation allows going beyond the sandbox and execute code with System privileges.
User Review( votes)