June Patch Tuesday has come. There are 88 unique vulnerabilities being resolved by Microsoft this month including four CVEs that have been publicly disclosed. Public Disclosure is an indicator or increased risk. Before the update was made available, information about the vulnerability including possible proof of concept code has already been released to the general public. This means attackers have had early access to engineer an exploit to take advantage of these vulnerabilities. All four of the public disclosures are affecting the Windows Operating System putting it as the top priority to patch this month.
- CVE-2019-1069 is a vulnerability in the Windows Task Scheduler, which could allow Elevation of Privilege on the affected system. This affects Windows 10, Server 2016 and later.
- CVE-2019-1064 is a vulnerability in Windows which could allow Elevation of Privilege on the affected system. This affects Windows 10, Server 2016 and later.
- CVE-2019-1053 is a vulnerability in Windows Shell which could allow Elevation of Privilege on the affected system by escaping a sandbox. This affects all currently supported Windows Operating Systems.
- CVE-2019-0973 is a vulnerability in Windows Installer that could allow Elevation of Privilege on the affected system due to improper sanitization of input from loaded libraries.
BlueKeep (CVE-2019-0708) is still the most threatening vulnerability on the Microsoft platform at the moment. While this month’s lineup of public disclosures increases the urgency of patching all of the Windows Operating systems in your environment it is also a good moment to step back and assess RDP usage in your environment altogether.
There is another RDP angle that is currently being attacked, and that is something called GoldBrute. Currently, around 1.6 million public facing RDP servers are under the attack of this BotNet. Instead of exploiting a vulnerability, GoldBrute is attacking weak passwords. A couple of things to assess in your environment: Do you have RDP public exposed? Have you assessed its configuration? Ideally blocking RDP at the perimeter is best. Restricting access to over a VPN controls the exposure of RDP more. Enabling Network Level Authentication can help mitigate BlueKeep. Ensure any credentials available over RDP have strong passwords that are changed regularly.
Aside from Microsoft, Adobe Flash is the addition to the Patch Tuesday lineup from the non-Microsoft side. The Flash Player update this month resolves one critical vulnerability (CVE-2019-7845), which could allow arbitrary execution of code on the target system. Adobe Flash’s usage globally has been in decline with the inevitable end of life coming in early 2020, but it is still a target of opportunity for attackers, so wherever you cannot eliminate it you should be patching it as soon as possible.