Microsoft released updates to patch 93 CVEs, along with two advisories, in this month’s Patch Tuesday. The bulletin patches issues in Azure DevOps Server, Internet Explorer, Microsoft Office, Microsoft Windows, Visual Studio, to name a few. The patches address 29 vulnerabilities rated Critical and 64 that were rated Important. A total of 21 CVEs were disclosed through the Zero Day Initiative (ZDI) program.
While none of the vulnerabilities were listed as under active attack at the time of release, a few of the bugs addressed this month fall under the “wormable” category, namely remote code execution (RCE) vulnerabilities in the Remote Desktop Services (designated as CVE-2019-1181 and CVE-2019-1182) that received Microsoft’s highest exploitability ranking. An attacker can exploit these flaws to gain code execution at a system level by sending a specially crafted pre-authentication RDP packet to an affected RDS server. Like the previously patched BlueKeep vulnerability, attackers can exploit the aforementioned RDS flaws to execute arbitrary code on vulnerable computers without user interaction.