Patch time! Microsoft warns of new worm-ready RDP bugs

Microsoft’s Patch Tuesday bought some very bad news yesterday: more wormable RDP vulnerabilities, this time affecting Windows 10 users.

CVE-2019-1181 and -1182 are critical vulnerabilities in Remote Desktop Services (formerly Windows Terminal) that are wormable – similar to the BlueKeep vulnerability that people have already created exploits for. Wormable means that the exploit could, in theory, be used not only to break into one computer but also to spread itself onwards from there.

These new vulnerabilities, which Microsoft found while it was hardening RDS, can be exploited without user interaction by sending a specially-crafted remote desktop protocol (RDP) message to RDS. Once in, an attacker could install programs, change or delete data, create new accounts with full user rights, and more. CVE-2019-1222 and -1226 also address these flaws.

This batch of RDP vulnerabilities affect more Windows versions than BlueKeep, including: Windows 7 SP1; Windows 8.1; Windows 10; Windows Server 2008 R2 SP1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 and Windows 2019.

Microsoft said that these vulnerabilities haven’t yet been exploited in the wild, but urged customers to get ahead of the game by patching quickly:

It is important that affected systems are patched as quickly as possible because of the elevated risks associated with wormable vulnerabilities like these, and downloads for these can be found in the Microsoft Security Update Guide.

Computers with network level authentication (NLA) are partly protected, because crooks would need to authenticate before making a request, meaning that an attack couldn’t spread without human interaction on NLA-enabled systems.

Microsoft also fixed several other critical bugs in this Patch Tuesday, including a remote code execution (RCE) vulnerability in Internet Explorer’s scripting engine (CVE-2019-1133 and -1194). Attackers can exploit the bug via a specially crafted website or by sending a malicious ActiveX control marked “Safe for initialization” to any MS Office program that uses the Internet Explorer rendering engine.

Edge users didn’t get away scot-free either. There’s a similar bug (CVE-2019-1131, -1139 to -1141, and CVE-2019-1195 to -1197) in that product’s Chakra Scripting Engine. It allows for remote code execution in the current user context, and it’s exploitable via malicious websites.

Microsoft fixed a critical RCE bug in its Hyper-V hypervisor (CVE-2019-0720), which exploits poor input validation in the Hyper-V Network Switch and could be exploited by a malicious application running in the guest OS. There are also some related denial-of-service (DoS) bugs patched in Hyper-V.

CVE-2019-0736, -0965, and -1213 are RCE bugs in the Windows DHCP server that an attacker can exploit by sending malicious DHCP responses to a client, while CVE-2019-1188 is a flaw in the way that Windows processes files with a .LNK extension. LNK files point to executable files, but improper processing enables remote code execution. Attackers could exploit this bug via removable drives or remote shares.

Flaws in the way that Windows processes fonts (CVE-2019-1145, and -1149 to -1152) allow an attacker embedding maliciously crafted fonts in a website or file to execute code remotely on the system.

There were also some bugs in Microsoft Office. A flaw (CVE-2019-1199-1200) in the way that Outlook handles objects in memory means that an attacker could execute code remotely using a malicious file delivered via email or a website. Outlook’s preview pane is an attack vector there, as it is for a bug in Microsoft Word (CVE-2019-1201 and -1205) that allows for remote code execution from maliciously-crafted Word documents.

The final critical bug in the bunch was CVE-2019-1183, which is a flaw in the Windows VBScript Engine that allows malicious websites or ActiveX objects to trigger remote code execution on the target system. However, Microsoft is in the process of getting rid of browser-based VBScript and has now turned it off by default in Internet Explorer 11 in this round of updates.