View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Flurry of Hyper-V Vulnerabilities Reported: But Microsoft Spots the Worst In-House

BlueKeep exploitation fears remain...

By CBR Staff Writer

Six Hyper-V vulnerabilities made it into this month’s Patch Tuesday: an unusually high number for Microsoft’s hardware virtualisation offering, which lets you run multiple operating systems as virtual machines on Windows (and which draws the highest bounties under the company’s active bug bounty programme).

No doubt pleasingly for Microsoft, four were identified by Joseph Bialek of the Microsoft Security Response Center (MSRC) Vulnerabilities and Mitigations Team; one by the company’s own Hyper-V development team and just one to a named third-party: HongZhenhao of “IceSword Lab” at Chinese security company Qihoo 360.

Microsoft is resolving 88 unique vulnerabilities in this month’s “Patch Tuesday”. The patches come as a Google security researcher revealed a Windows zero day that remains unpatched after Microsoft missed a 90-day deadline.

Read this: Microsoft Bug Would Let Attacker “Take Down An Entire Windows Fleet”

Four are publicly disclosed CVEs.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK
  • CVE-2019-1069 is a vulnerability in the Windows Task Scheduler which could allow Elevation of Privilege on the affected system. This affects Windows 10, Server 2016 and later.
  • CVE-2019-1064 is a vulnerability in Windows which could allow Elevation of Privilege on the affected system. This affects Windows 10, Server 2016 and later.
  • CVE-2019-1053 is a vulnerability in Windows Shell which could allow Elevation of Privilege on the affected system by escaping a sandbox. This affects all currently supported Windows operating systems.
  • CVE-2019-0973 is a vulnerability in Windows Installer that could allow Elevation of Privilege on the affected system due to improper sanitisation of input from loaded libraries.

But security experts said the greatest issue remains “BlueKeep”; a potentially devastating vulnerability reported to Microsoft by the UK’s NCSC last month that remains unpatched by an estimated million Windows users around the world.

Read this: Microsoft Credits NCSC for Critical Bug Find, Pushes Out Unusual Patch

Chris Goettl, Director of Security Solutions at Ivanti said:BlueKeep (CVE-2019-0708) is still the most threatening vulnerability on the Microsoft platform at the moment. While this month’s line-up of public disclosures increases the urgency of patching all of the Windows operating systems in your environment, it is also a good moment to step back and assess Microsoft Desktop Protocol (RDP) usage in your environment altogether.”

“Currently around 1.6 million public facing RDP servers are under the attack of a botnet called GoldBrute. Instead of exploiting a vulnerability, GoldBrute is attacking weak passwords. A couple of things to assess in your environment: do you have public facing RDP services exposed? Have you assessed its configuration? Ideally, blocking RDP at the perimeter is best. Restricting access to a VPN controls the exposure of RDP more. Enabling Network Level Authentication can help mitigate BlueKeep. Ensure any credentials available over RDP have strong passwords that are changed regularly.”

Aside from Microsoft, Adobe Flash is the addition to the Patch Tuesday line-up from the non-Microsoft side. The Flash Player update this month resolves one critical vulnerability (CVE-2019-7845), which could allow arbitrary execution of code on the target system. Adobe Flash’s usage globally has been in decline with the inevitable end-of-life coming in early 2020, but it is still a target of opportunity for attackers, so wherever you cannot eliminate it you should be patching it as soon as possible.

 

 

Topics in this article : , , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU