Bluekeep still the most threatening vulnerability
By Chris Goettl, Director of product management, security, ivanti
June patch Tuesday has come. Microsoft is resolving 88 unique vulnerabilities this month including four cves that have been publicly disclosed. Public disclosure is an indicator of increased risk. Before the update was made available, information about the vulnerability, including possible proof-of-concept code, had already been released to the general public. This means attackers have had early access to engineering an exploit to take advantage of these vulnerabilities. All four of the public disclosures are affecting the Windows operating system, making it the top priority to patch this month.
Publicly disclosed vulnerabilities this month:
cve-2019-1069 is a vulnerability in the windows task scheduler which could allow elevation of privilege on the affected system. This affects Windows 10, server 2016 and later.
cve-2019-1064 is a vulnerability in Windows which could allow elevation of privilege on the affected system. This affects Windows 10, server 2016 and later.
cve-2019-1053 is a vulnerability in windows shell which could allow elevation of privilege on the affected system by escaping a sandbox. This affects all currently supported Windows operating systems.
cve-2019-0973 is a vulnerability in windows installer that could allow elevation of privilege on the affected system due to improper sanitization of input from loaded libraries. This affects all currently supported Windows operating systems.
Bluekeep is still the reigning champ but take a step back. Rdp in general needs some attention:
Bluekeep (cve-2019-0708) is still the most threatening vulnerability on the Microsoft platform at the moment. While this month’s lineup of public disclosures increases the urgency of patching all of the Windows operating systems in your environment, it is also a good moment to step back and assess Microsoft desktop protocol (RDP) usage in your environment altogether. Currently, around 1.6 million public-facing RDP servers are under the attack of a botnet called goldbrute. Instead of exploiting a vulnerability, goldbrute is attacking weak passwords. A couple of things to assess in your environment: do you have public facing RDP services exposed? Have you assessed its configuration? Ideally, blocking RDP at the perimeter is best. Restricting access to a VPN controls the exposure of RDP more. Enabling network level authentication can help mitigate bluekeep. Ensure any credentials available over RDP have strong passwords that are changed regularly.
Aside from Microsoft, Adobe flash is the addition to the patch Tuesday lineup from the non-Microsoft side. The flash player update this month resolves one critical vulnerability (cve-2019-7845), which could allow arbitrary execution of code on the target system. Adobe flash’s usage globally has been in decline with the inevitable end-of-life coming in early 2020, but it is still a target of opportunity for attackers, so wherever you cannot eliminate it you should be patching it as soon as possible.
Adobe flash player
Microsoft Office and Microsoft office services and web apps
Chakracore (development binary)
Skype for business and Microsoft lync
Microsoft exchange server (advisory adv190018)
Azure (development binary)
Prioritize updates for the Windows operating system to resolve publicly disclosed vulnerabilities and critical remote code execution vulnerabilities.
The ie and edge browsers have a number of user-targeted, critical vulnerabilities that should also be a priority.
bluekeep is still a significant threat. Ensure you have applied May or June cumulative updates for the Windows operating systems for XP, Windows 7, server 2003, 2008, and 2008 r2.
Rdp, in general, is a security risk. We recommend all companies evaluate RDP to use and mitigate risks. Public facing RDP services should be behind a VPN, not directly exposed. Use nla where possible. Configure any credential with RDP access to use strong passwords and change them frequently.
About the author
Chris goettl, is the director of product management, security, ivanti. Chris is a strong industry voice with more than 10 years of experience in supporting, implementing, and training it admins on how to implement strong patching processes. He hosts a monthly patch Tuesday webinar, blogs on vulnerability and related software security topics, and his commentary is often quoted as a security expert in the media.Chris can be reached online at firstname.lastname@example.org, on twitter @chrisgoettl and at ivanti’s website: www.ivanti.com.