cve-2019- 1053 is a vulnerability in windows shell which could allow elevation of privilege on the affected
system by escaping a sandbox. This affects all currently supported windows operating systems.
cve-2019- 0973 is a vulnerability in windows installer that could allow elevation of privilege on the affected
system due to improper sanitization of input from loaded libraries. This affects all currently supported
windows operating systems.
Bluekeep is still the reigning champ but take a step back. Rdp in general needs some attention:
Bluekeep (cve-2019- 0708 ) is still the most threatening vulnerability on the microsoft platform at the
moment. While this month’s lineup of public disclosures increases the urgency of patching all of the
windows operating systems in your environment, it is also a good moment to step back and assess
microsoft desktop protocol (rdp) usage in your environment altogether. Currently around 1.6 million
public-facing rdp servers are under the attack of a botnet called goldbrute. Instead of exploiting a
vulnerability, goldbrute is attacking weak passwords. A couple of things to assess in your environment:
do you have public facing rdp services exposed? Have you assessed its configuration? Ideally, blocking
rdp at the perimeter is best. Restricting access to a vpn controls the exposure of rdp more. Enabling
network level authentication can help mitigate bluekeep. Ensure any credentials available over rdp have
strong passwords that are changed regularly.
Aside from microsoft, adobe flash is the addition to the patch tuesday lineup from the non-microsoft side.
The flash player update this month resolves one critical vulnerability (cve-2019- 7845 ), which could allow
arbitrary execution of code on the target system. Adobe flash’s usage globally has been in decline with
the inevitable end-of-life coming in early 2020, but it is still a target of opportunity for attackers, so
wherever you cannot eliminate it you should be patching it as soon as possible.
Affected products:
Adobe flash player
Microsoft windows
Internet explorer
Microsoft edge
Microsoft office and microsoft office services and web apps
Chakracore (development binary)
Skype for business and microsoft lync
Microsoft exchange server (advisory adv190018)
Azure (development binary)