Microsoft patches abundance of "critical" and "wormable" Windows vulnerabilities

BlueKeep-like RCE flaws featured among the 93 bugs patched by Microsoft

Microsoft's flagship OS Windows 10 on a purple graphic

Microsoft has released fixes for a smorgasbord of issues on the second 'Patch Tuesday' of the month, including multiple remote code execution flaws.

A total of 93 bugs were reported in total, 29 of which were rated "critical" in severity and 64 as "important". However, none of these were zero-days or publicly disclosed vulnerabilities.

Advertisement - Article continues below

Simon Pope, director of incident response at Microsoft has also said two of the four remote code execution (RCE) issues are "wormable", bearing some resemblance to the (now patched) BlueKeep vulnerabilities discovered in May.

However, security researcher Kevin Beaumont tweeted that, in fact, "3 of the vulnerabilities are wormable, unless I'm missing something (as CVE-2019-1226)".

"By the way, this looks like it is much more serious than BlueKeep as there are so many different issues," Beaumont added. "Do not disable NLA."

Wormable vulnerabilities are cause for concern because, unlike normal malware infections, these issues can spread between computers without user interaction - like by visiting a dodgy link or downloading a suspicious email attachment.

The four RCEs were found in the Windows Remote Desktop Services (RDS) component and affected all modern versions of Windows going back to Windows 7. An attacker could abuse the Windows Remote Desktop Protocol (RDP), which is used to operate one computer from another over a network connection, by sending specially crafted requests without the need for authentication or user interaction.

Advertisement - Article continues below
Advertisement - Article continues below

"Once exploited, an attacker would be able to gain arbitrary code execution on the system, allowing them to perform a variety of actions, such as creating a new account with full user rights, installing programs, and viewing, changing or deleting data," said Satnam Narang, senior research engineer at Tenable.

"These vulnerabilities were discovered by Microsoft during hardening of Remote Desktop Services as part of our continual focus on strengthening the security of our products," said Pope. "At this time, we have no evidence that these vulnerabilities were known to any third party.

Justin Campbell, security research and exploit mitigations at Microsoft tweeted "the team successfully built a full exploit chain using some of these [RCEs], so it's likely someone else will as well", highlighting the necessity of applying Microsoft's patches expeditiously.

One of the other patched flaws of note was the one concerning the encryption key negotiation of Bluetooth which allowed attackers within Bluetooth range to manipulate legitimate wireless signals and gain access to a victim's machine.

Advertisement - Article continues below

With a CVSS score of 9.3, it was one of the issues rated "important" and required specialised hardware and close proximity to the victim to exploit.

All users have been recommended to ensure Network Level Authentication (NLA) is enabled inside RDP as it provides an extra layer of defence by raising exploitation requirements for some flaws to require credentials.

Although NLA protects against the wormability of the aforementioned RCEs, it's believed that some of the other vulnerabilities are still exploitable even with NLA enabled which means patching is of vital importance, as is taking all other methods of mitigation.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now

Most Popular

Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The road to recovery

30 Jun 2020