BlueKeep exploitation fears remain…
Six Hyper-V vulnerabilities made it into this month’s Patch Tuesday: an unusually high number for Microsoft’s hardware virtualisation offering, which lets you run multiple operating systems as virtual machines on Windows (and which draws the highest bounties under the company’s active bug bounty programme).
No doubt pleasingly for Microsoft, four were identified by Joseph Bialek of the Microsoft Security Response Center (MSRC) Vulnerabilities and Mitigations Team; one by the company’s own Hyper-V development team and just one to a named third-party: HongZhenhao of “IceSword Lab” at Chinese security company Qihoo 360.
6 Hyper-V CVE's were fixed today! 1 DOS found by the Hyper-V dev team. 1 RCE found by Qihoo360 IceSword Lab. 2 DOS and 1 RCE found by me. 1 RCE found by an anonymous research and me.
— Joseph Bialek (@JosephBialek) June 11, 2019
Microsoft is resolving 88 unique vulnerabilities in this month’s “Patch Tuesday”. The patches come as a Google security researcher revealed a Windows zero day that remains unpatched after Microsoft missed a 90-day deadline.
Four are publicly disclosed CVEs.
- CVE-2019-1069 is a vulnerability in the Windows Task Scheduler which could allow Elevation of Privilege on the affected system. This affects Windows 10, Server 2016 and later.
- CVE-2019-1064 is a vulnerability in Windows which could allow Elevation of Privilege on the affected system. This affects Windows 10, Server 2016 and later.
- CVE-2019-1053 is a vulnerability in Windows Shell which could allow Elevation of Privilege on the affected system by escaping a sandbox. This affects all currently supported Windows operating systems.
- CVE-2019-0973 is a vulnerability in Windows Installer that could allow Elevation of Privilege on the affected system due to improper sanitisation of input from loaded libraries.
But security experts said the greatest issue remains “BlueKeep”; a potentially devastating vulnerability reported to Microsoft by the UK’s NCSC last month that remains unpatched by an estimated million Windows users around the world.
Chris Goettl, Director of Security Solutions at Ivanti said: “BlueKeep (CVE-2019-0708) is still the most threatening vulnerability on the Microsoft platform at the moment. While this month’s line-up of public disclosures increases the urgency of patching all of the Windows operating systems in your environment, it is also a good moment to step back and assess Microsoft Desktop Protocol (RDP) usage in your environment altogether.”
“Currently around 1.6 million public facing RDP servers are under the attack of a botnet called GoldBrute. Instead of exploiting a vulnerability, GoldBrute is attacking weak passwords. A couple of things to assess in your environment: do you have public facing RDP services exposed? Have you assessed its configuration? Ideally, blocking RDP at the perimeter is best. Restricting access to a VPN controls the exposure of RDP more. Enabling Network Level Authentication can help mitigate BlueKeep. Ensure any credentials available over RDP have strong passwords that are changed regularly.”
Aside from Microsoft, Adobe Flash is the addition to the Patch Tuesday line-up from the non-Microsoft side. The Flash Player update this month resolves one critical vulnerability (CVE-2019-7845), which could allow arbitrary execution of code on the target system. Adobe Flash’s usage globally has been in decline with the inevitable end-of-life coming in early 2020, but it is still a target of opportunity for attackers, so wherever you cannot eliminate it you should be patching it as soon as possible.