Microsoft has patched 93 unique CVEs this month, and although there are no zero-days or publicly disclosed flaws, there’s plenty to keep sysadmins busy, according to experts.
Top of the list are two wormable RDP flaws CVE-2019-1181/1182) similar to the Bluekeep bug discovered earlier this year, which require urgent patching as an infection could spread without user interaction.
Elsewhere it’s a fairly light patch load by recent standards: there are 31 critical vulnerabilities and 65 rated as important.
“On the critical list are several Remote Code Execution (RCE) vulnerabilities including those that affect Hyper-V and Remote Desktop Services, services that are often exposed publicly. There are also RCE vulnerabilities in Outlook and Word where a maliciously crafted document or email could allow an attacker to execute their code,” explained Trustwave.
“Luckily the Outlook vulnerability can't be triggered by the simply using the Preview pane. A similar RCE affects .LNK or 'shortcuts' files, where an attacker could craft a malicious shortcut and would only need to get their target or victim to click on it to execute their code. There is also an RCE vulnerability in both DHCP servers and clients that could be triggered with a malicious DHCP lease request or response.”
Ivanti director of security solutions, Chris Goettl, highlighted an encryption key negotiation of Bluetooth vulnerability (CVE-2019-9506) as one to prioritize.
“This tampering vulnerability has a CVSS score of 9.3. It requires specialised hardware to exploit but can allow wireless access and disruption within Bluetooth range of the device being attacked,” he explained. “Microsoft provided an update to address the issue, but the new functionality is disabled by default. You must enable the functionality by setting a flag in the registry.”
Elsewhere, Adobe released eight new updates including critical bulletins for Creative Cloud and Experience Manager and fixes for Acrobat and Acrobat Reader flaws, as well as a non-security update for Flash.