Microsoft Patch Tuesday August 2019: WannaCry-level “wormable” flaws patched

Patch Tuesday

No matter how prepared you are, Patch Tuesday never fails to throw in a surprise. With the Microsoft Security Response Center’s warning note, “August 2019 Security Update includes fixes for wormable RCE vulnerabilities in Remote Desktop Services (RDS), affecting all in-support versions of Windows. These should be patched quickly,” arrives the highly anticipated Microsoft Patch Tuesday August 2019.

Just like the BlueKeep vulnerability that was patched this May’s Patch Tuesday, the two critical remote code execution (RCE) flaws tracked as CVE-2019-1181 and CVE-2019-1182 are wormable. Any malware that’s capable of exploiting these wormable flaws could propagate itself from one vulnerable computer to another without user interaction. Does that ring a bell? 2017’s deadliest ransomware, WannaCry, worked exactly the same way, highlighting how serious these flaws are. Besides those flaws, there are two more critical vulnerabilities, CVE-2019-1222 and CVE-2019-1226, affecting Remote Desktop Services. All of these vulnerabilities can be exploited without authentication or user interaction.

In total, the Microsoft Patch Tuesday August 2019 updates fix 93 vulnerabilities in Windows OSs and related products. Of these updates, 29 are rated critical, which includes the four wormable RCE vulnerabilities. Surprisingly, none of these vulnerabilities were publicly disclosed before the patches were released, and none have been exploited in attacks.

Patch Tuesday updates for Microsoft products

Microsoft Patch Tuesday August 2019 covers vulnerabilities in:

  • Windows OSs
  • Microsoft Edge
  • Internet Explorer
  • Microsoft Office
  • Microsoft Outlook
  • Windows RDP
  • Active Directory
  • Microsoft Jet Database Engine
  • Adobe products

Here’s a brief look at Microsoft Patch Tuesday August 2019’s most important releases.

Critical vulnerabilities patched

The 29 critical vulnerabilities impact Edge, Internet Explorer, Windows, Outlook, and Office.

Other important vulnerabilities

Of all the vulnerabilities, 64 have been assigned an important severity rating by Microsoft. Windows OSs, Dynamics, SharePoint, Edge, Internet Explorer, Outlook, and Jet Database Engine are affected by them.

Third-party patches: Adobe updates

Adobe, another tech giant, has also patched 118 vulnerabilities across its After Effects, Character Animator, Premiere Pro, Prelude, Creative Cloud, Acrobat, Reader, Experience Manager, and Photoshop products.

How to handle Microsoft Patch Tuesday updates for August 2019

The following are a few best practices to tackle Microsoft Patch Tuesday August 2019 and ensure your organization is safe against threat actors leveraging software vulnerabilities.

  • Prioritize patching for these four critical RCE flaws since wormable vulnerabilities receive Microsoft’s highest exploitability ranking: CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, and CVE-2019-1226.
  • Automate other critical and important updates soon after that.
  • Schedule patches to go out during non-business hours to prevent downtime.
  • Create a test group to verify the stability of Patch Tuesday updates before rolling them out to production machines.
  • Decline problematic patches and less critical patches to prioritize important issues.
  • Postpone or schedule reboots for critical machines and servers.
  • Run patch reports to ensure network endpoints are up-to-date with the latest patches.

If you’re a sysadmin, you probably know what this means for you: a week full of testing and deploying updates on thousands of machines and troubleshooting patch failures, and then another week or so of waiting for hotfixes to mend issues in patches that were already released to patch issues.

Don’t worry, we’ve got you covered.

ManageEngine offers two solutions—Desktop Central and Patch Manager Plus. Both help you automate all the best practices mentioned above from one central console. Try both solutions free for 30 days to keep more than 750 applications, including over 300 third-party applications, up-to-date.

** Optrics Inc. is an Authorized ManageEngine partner

The original article can be found here:

Leave a Reply