Microsoft Patches 93 CVEs But No Zero-Days in August

Microsoft has patched 93 unique CVEs this month, and although there are no zero-days or publicly disclosed flaws, there’s plenty to keep sysadmins busy, according to experts.

Top of the list are two wormable RDP flaws CVE-2019-1181/1182) similar to the Bluekeep bug discovered earlier this year, which require urgent patching as an infection could spread without user interaction.

Elsewhere it’s a fairly light patch load by recent standards: there are 31 critical vulnerabilities and 65 rated as important.

“On the critical list are several Remote Code Execution (RCE) vulnerabilities including those that affect Hyper-V and Remote Desktop Services, services that are often exposed publicly. There are also RCE vulnerabilities in Outlook and Word where a maliciously crafted document or email could allow an attacker to execute their code,” explained Trustwave.

“Luckily the Outlook vulnerability can't be triggered by the simply using the Preview pane. A similar RCE affects .LNK or 'shortcuts' files, where an attacker could craft a malicious shortcut and would only need to get their target or victim to click on it to execute their code. There is also an RCE vulnerability in both DHCP servers and clients that could be triggered with a malicious DHCP lease request or response.”

Ivanti director of security solutions, Chris Goettl, highlighted an encryption key negotiation of Bluetooth vulnerability (CVE-2019-9506) as one to prioritize.

“This tampering vulnerability has a CVSS sco ..

Support the originator by clicking the read the rest link below.