Microsoft has released its latest monthly security updates and there are four fixes for zero-day threats published recently by SandboxEscaper.
In total Redmond fixed 88 vulnerabilities in this update round with 21 labelled critical.
The four zero-days are all elevation of privilege flaws which affected Windows: CVE-2019-1069 is a bug in the Windows Task Scheduler, CVE-2019-1064 is an elevation of privilege bug in Windows, CVE-2019-1053 is a vulnerability in Windows Shell which could allow elevation of privilege on the affected system by escaping a sandbox and CVE-2019-0973 is a flaw in Windows Installer.
The recently disclosed BlueKeep vulnerability (CVE-2019-0708) in RDP should also be a priority for system admins, after Microsoft warned that it could be “wormable” — that is, exploitable without the need for user interaction.
However, patching is just one part of the defense-in-depth approach IT security teams need to take, according to Ivanti director of security solutions, Chris Goettl.
“Currently around 1.6 million public facing RDP servers are under the attack of a botnet called GoldBrute. Instead of exploiting a vulnerability, GoldBrute is attacking weak passwords. A couple of things to assess in your environment: do you have public facing RDP services exposed? Have you assessed its configuration?” he explained.
“Ideally, blocking RDP at the perimeter is best. Restricting access to a VPN controls the exposure of RDP more. Enabling network-level authentication can help mitigate BlueKeep. Ensure any credentials available over RDP have strong passwords that are changed regularly.”
Elsewhere, there’s one critical update for Flash Player this month, fixing a bug (CVE-2019-7845) which could allow arbitrary code execution on a victim’s machine. Adobe also announced patches for three critical ColdFusion vulnerabilities and seven Adobe Campaign bugs, one of which is critical.