Of the 93 vulnerabilities Microsoft patched today, 29 are rated Critical and 64 are rated Important in severity.
On the second Tuesday of the month — as clockwork — Microsoft released its monthly rollup of security updates known as Patch Tuesday.
This month, Microsoft patched 93 security flaws and published two security advisories with mitigations for two security-related issues impacting the company’s products & services.
Unlike in previous months, none of the vulnerabilities that have been patched today were under attack, or had their details publicly disclosed online.
THE RDS RCES
But while security researchers say that all security bugs are important, the “stars” of this month’s Patch Tuesday are the four remote code execution bugs Microsoft fixed in the Windows Remote Desktop Services (RDS) component — CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, and CVE-2019-1226.
Of the four, the first two are the biggest threats.
In a blog post, Simon Pope, Director of Incident Response for the Microsoft Security Response Center (MSRC), said the two bugs are “wormable,” akin to the now-infamous BlueKeep (CVE-2019-0708) bug that Microsoft patched in RDS in May.
This means attackers can exploit the bugs to take over a computer and then spread to other computers without any user interaction.
Patching CVE-2019-1181 and CVE-2019-1182 is of the utmost urgency, and for good reasons.
OTHER PATCHED VULNERABILITIES
But the four remote code execution (RCE) bugs in the RDS component are not the only RCEs patched this month.
There are also seven RCEs impacting the Chakra scripting engine (included in Microsoft Edge and other Microsoft apps), two RCEs in Microsoft Hyper-V virtual machine hypervisor technology, six RCEs in the Microsoft Graphics component, one in Outlook, two in Word, two in the Windows DHCP client, two in the older Scripting Engine component, and one in the VBScript engine.
And there is also a patch for a bug in the shadowy CTF protocol that impacts all Windows versions since Windows XP.
All in all, the August 2019 Patch Tuesday is both bulky and critical. Of the 93 vulnerabilities Microsoft patched today, 29 are rated Critical and 64 are rated Important in severity.
Furthermore, with this occasion, Microsoft also wanted to remind users that Windows 7 and Windows Server 2008 R2 will be out of extended support and no longer receiving updates as of January 14, 2020.
“We strongly recommend that you update any computers running Windows 7 or Windows Server 2008 R2 so you will continue receiving security updates,” the company said.]
OTHER NON-MICROSOFT SECURITY UPDATES
Since the Microsoft Patch Tuesday is also the day when other vendors also release security patches, it’s also worth mentioning that Adobe, SAP, and VMWare have also published their respective security updates earlier today.
Of the three, Adobe’s security updates are the largest, with fixes for Photoshop, Experience Manager, Acrobat/Reader, the Creative Cloud desktop app, Prelude, Premiere Pro, Character Animator, and After Effects. Of note, there are no Flash security updates this month.
More in-depth information on today’s Patch Tuesday updates is available on Microsoft’s official Security Update Guide portal. You can also consult the table embedded below, this Patch Tuesday report generated by ZDNet, or these ones, put together by Trend Micro and the SANS Internet Storm Center.