August 2019 Patch Tuesday: Microsoft plugs critical wormable RDP holes - Help Net Security

August 2019 Patch Tuesday: Microsoft plugs critical wormable RDP holes - Help Net Security

It’s that time of the month again: Microsoft, Adobe and Intel have pushed out fixes for a bucketload of security issues in their various software.



Microsoft’s security updates should take precedence, though, as they fix 29 critical vulnerabilities, including four in Remote Desktop Services, two of which – Microsoft warns – are wormable, just like BlueKeep before them.


Microsoft patches


Microsoft has plugged 93 CVEs and has released two advisories – one recommends a new set of safe default configurations for LDAP channel binding and LDAP signing on Active Directory Domain Controllers, the other makes it known that the company has mitigated an elevation of privilege vulnerability in Outlook Web Access, which could have allowed attackers to access a target’s email inbox.


The fixed vulnerabilities of note this time are:


CVE-2019-1181 and CVE-2019-1182 – two RDP unauthenticated remote code execution flaws that can be widely exploited through worms, without any user interaction. They affect Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions.


“These vulnerabilities were discovered by Microsoft during hardening of Remote Desktop Services as part of our continual focus on strengthening the security of our products. At this time, we have no evidence that these vulnerabilities were known to any third party,” Simon Pope, Director of Incident Response, Microsoft Security Response Center (MSRC), august patch tuesday microsoft plugs critical wormable holes security