Critical Microsoft Remote Desktop Flaw Fixed in Security Update

Microsoft has released fixes for nine critical and 49 important vulnerabilities as part of Patch Tuesday.

Microsoft released patches for nine critical vulnerabilities as part of its October Patch Tuesday security update, including one for a Remote Desktop bug that could allow a remote attacker to execute code on victims’ machines.

Overall, Microsoft issued fixes for 59 vulnerabilities – including nine critical, 49 important and one moderate in severity.

“This month, the Microsoft release is on the smaller side, with security patches for 59 CVEs and no new advisories,” said Dustin Childs, with the Zero Day Initiative. “The updates cover Microsoft Windows, Internet Explorer, Edge (EdgeHTML-based), ChakraCore, Microsoft Office and Microsoft Office Services and Web Apps, SQL Server Management Studio, Microsoft Dynamics 365, Windows Update Assistant and Open Source Software,” he wrote in his breakdown of Microsoft Patch Tuesday security updates.

One of the critical flaws highlighted by Childs includes a troublesome remote code execution vulnerability (CVE-2019-1333) that “exists in the Windows Remote Desktop Client when a user connects to a malicious server.”

The flaw specifically involves Remote Desktop client machines that connect to servers via Remote Desktop Protocol (RDP). RDP is a protocol offered by Microsoft – and used by thousands of enterprises globally – that allows workers to remotely connect their client machines to servers in order to connect to corporate resources. Remote Desktop clients installed on user machines allow them to connect to a remote server host using the RDP protocol. The vulnerability specifically exists when a RDP client connects to a malicious RDP server.

In order for the attacker to exploit the vulnerability, an attacker must first compromise a legitimate RDP server by hosting malicious code on it. Next, they must convince the user of a client machine to connect to the server (likely through social engineering). If an attacker is successful, and convinces a client user to connect to the malicious server, he can then remotely send commands to the victim’s machine to installing programs, view and chang data and create new accounts with full user rights, Microsoft said.

Vulnerabilities in Windows Remote Desktop continue to plague Microsoft. In July, an infamous critical vulnerability CVE- 2019-0708) was disclosed. The flaw, called BlueKeep, was highly wormable and enabled remote code execution.

However, luckily “unlike the infamous BlueKeep RDP vulnerability, (CVE-2019-1333) requires user interaction for an attack to be successful,” said Robert Foggia with Trustwave in an analysis.  “An attacker could exploit this vulnerability by convincing a victim to connect to a malicious RDP server.

Despite that, Microsoft still thinks CVE-2019-1333 is a high-risk flaw, ranking it on its “exploitability index” tool as a 1 out of 3, meaning that “exploitation is more likely.” To fix the flaw, Microsoft said that it corrected “how the Windows Remote Desktop Client handles connection requests.”

On Tuesday, Microsoft also issued an “important” fix for a denial-of-service flaw (CVE-2019-1326) in RDP. An attacker could exploit this flaw by connecting to a server using RDP and sending the server specially crafted requests. The requests would cause the RDP service on the vulnerable server to crash.

Other critical vulnerabilities of note include two remote code execution flaws (CVE-2019-1238, CVE-2019-1239) in VBScript, the language developed by Microsoft that is modeled on Visual Basic. The vulnerabilities stem from the way VBScript handles memory, and could be exploited to execute arbitrary code on victim’s machine. In order to exploit the flaw, a bad actor would first need to trick users into visiting a specially crafted, malicious website through Internet Explorer.

Four critical memory corruption flaws (CVE-2019-1307, CVE-2019-1308, CVE-2019-1335 and CVE-2019-1366) were patched in the Chakra Scripting Engine, a JavaScript engine developed by Microsoft for its Microsoft Edge web browser.

“An attacker could use these bugs to corrupt memory on the victim machine in a way that would allow them to remotely execute arbitrary code,” according to Jon Munshaw with Cisco Talos in an analysis. “A user could trigger these vulnerabilities by visiting a specially crafted, malicious website in Edge.”

And, Microsoft patched an elevation of privilege flaw in Azure Stack (CVE-2019-1372). This vulnerability stems from the Azure App Service, which fails to properly check the length of a buffer before copying memory to it. That could result in an attacker exploiting this vulnerability “to copy any function run by the user, thereby executing code in the context of NT AUTHORITY/system, which could allow the attacker to escape a sandbox,” according to Microsoft’s advisory.

Unlike its September and August Patch Tuesday releases, there are no zero days in this most recent update; Microsoft said that it has not yet seen any of the vulnerabilities exploited in the wild.

What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.

Suggested articles