• August 2019 Security patches: It’s a biiiiiiiiig month

    Looks like we’re getting 90 separate patches for 93 individually reported security holes (CVEs).

    The largest single pain point appears to be Remote Desktop Services. (Tell me if you’ve heard that one before.) According to a post from Simon Pope at the MS Security Response Center:

    Today Microsoft released a set of fixes for Remote Desktop Services that include two critical Remote Code Execution (RCE) vulnerabilities, CVE-2019-1181 and CVE-2019-1182. Like the previously-fixed ‘BlueKeep’ vulnerability (CVE-2019-0708), these two vulnerabilities are also ‘wormable’, meaning that any future malware that exploits these could propagate from vulnerable computer to vulnerable computer without user interaction.

    The affected versions of Windows are Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions.

    Windows XP, Windows Server 2003, and Windows Server 2008 are not affected, nor is the Remote Desktop Protocol (RDP) itself affected.,,

    At this time, we have no evidence that these vulnerabilities were known to any third party.

    In the process of fixing the BlueKeep security hole, Microsoft found a metric ton of similar problems. At this point, nobody’s figured out a way to worm-out BlueKeep, so I figure you’re safe for now. This applies to almost none of you (if you have an internet-facing RDP server you likely know about it already), but as Dustin Childs says on the Zero Day Initiative page:

    If you must have an internet-facing RDP server, patch immediately (and reconsider your server placement).

    Martin Brinkmann has his usual overview on ghacks.net:

    Windows 7: 39 vulnerabilities
    Windows 8.1: 39 vulnerabilities
    Windows 10 version 1709: 53 vulnerabilities (!)
    Windows 10 version 1803: 61 vulnerabilities
    Windows 10 version 1809: 64 vulnerabilities
    Windows 10 version 1903: 64 vulnerabilities

    The scariest Office vulnerability? CVE-2019-1201. It looks like you can exploit this one by sending someone an email and having it viewed in the Outlook preview pane. I thought that general form of exploit was fixed years ago – but not according to the CVE description:

    Microsoft Outlook Preview Pane is an attack vector for this vulnerability.

    As usual, we’re very interested in hearing of any problems you encounter – particularly if they persist after you roll back the patch.

    UPDATE: There’s an acknowledged problem with the Win7 and Server 2008R2 patches and Symantec Endpoint Protection. It’s more of the SHA-2 blues. Thx, @EP.

    Another update: Security folks are starting to call the new BlueKeep act-alikes “BlueKeep II” and “BlueKeep III.” I’m going to follow Kevin Beaumont’s lead and call them DejaBlue.

    Worth noting: None of the security holes plugged today have known exploits. SANS Internet Storm Center has details.

    Great observation by Brian Krebs:

    At least one of the updates I installed last month totally hosed my Windows 10 machine. I consider myself an equal OS abuser, and maintain multiple computers powered by a variety of operating systems, including Windows, Linux and MacOS.

    Nevertheless, it is frustrating when being diligent about applying patches introduces so many unfixable problems that you’re forced to completely reinstall the OS and all of the programs that ride on top of it.

    We share your pain, Brian.