Tim Lovegrove
Security Analyst
Welcome to the August 2019 Patch Roundup, where we look at the latest updates from the main vendors released on Patch Tuesday and dissect a few of the key releases. This month might have set a new record for both the quantity and severity of issues patched, particularly by Microsoft, so let’s get on with it.
Microsoft
In a mammoth patch release, Microsoft fixed 93 vulnerabilities across its platforms, of which 29 are Critical and the bulk of which affect Windows 10. A few have even gained their own nickname: a group of 7 RDP-related (Remote Desktop) bugs have been dubbed “Seven Monkeys”. These include wormable flaws similar to the BlueKeep bug, memory content disclosure flaws and a DoS attack. Microsoft have once again stated that these are likely to be weaponised fairly quickly.
One further vulnerability, CVE-2019-1162, shows up the complexity of modern operating systems. Famed researcher Tavis Ormandy released a piece of work earlier this week on Google’s Project Zero blog, describing, in excruciating detail, the lengths he went to picking apart the Windows Text Services Framework. This includes the CTF module, all of which is used for managing input services in the OS. By manipulating the behaviour of these 20+ year old components via notepad.exe, he was able to elevate himself to system privileges. His blog post is well worth a read for the nerdier among us.
Aside from these headline bugs, further issues in DHCP clients have been patched across Microsoft’s currently supported OSes, along with fixes for Edge & IE, a Hyper-V hypervisor escape and the Chakra scripting engine.
As a side note, some researchers have noted their machines being adversely affected by one or more of the updates released this month. This could be caused by a number of individual machine-specific things rather than being an inherent issue with the updates themselves, but it highlights the need to test updates carefully before deployment to production systems.
Adobe
For the second month running, Adobe haven’t felt the need to update Flash. Instead, they have dropped updates for Reader/Acrobat and a range of their other products, including Photoshop, After Effects and others.
Wind River VxWorks
VxWorks is a little-known but widely-used platform known as a Real Time Operating System. The RTOS underpins a wide range of industrial control systems, healthcare systems, lifts and SCADA equipment, as well as being the underlying OS for a number of big-brand switches, routers and firewalls. There’s a strong likelihood that something in your building or network runs it.
The URGENT/11 vulnerabilities affect the TCP/IP stack built-in to older versions of VxWorks and, since this OS often appears on devices which are rarely updated or upgraded, the vulns are thought to be very widespread. The first challenge is to detect and identify the affected devices, no easy feat when many could be squirreled away on BMS networks. Identifying the relevant patches and getting the devices updated is the next step, however it could be more practical to look at compensating controls or enhancing the segregation and perimeter controls around these devices. If the devices are segregated from remote connections, either by strong, well designed firewall configurations or by being physically segregated from the Internet, the risk can be reduced, buying time to update the systems appropriately.
Get in Touch
If you'd like any advice on the patches mentioned above, or any we haven't mentioned here, please get in touch with your Softcat Account Manager, or using the button below.