Microsoft has brought the August security release that patches as many as 93 vulnerabilities, including 29 issues rated Critical and 64 marked as Important. The latest Windows release, which is commonly known as the Patch Tuesday, also carries fixes for the four remote code execution bugs that could allow attackers to remotely overtake your computer. Alongside system-level patches, the August security release includes updates for the preloaded Internet Explorer, Microsoft Edge, and Online Services as well as Microsoft Office and Microsoft Office services, Visual Studio, and Microsoft Dynamics among other software packages. Microsoft is urging Windows 10 users
In the list of vulnerabilities that the Patch Tuesday August security release fixes, Microsoft has underlined four loopholes that are the remote code execution bugs, which have been fixed in the Windows Remote Desktop Services (RDS) component. These vulnerabilities are listed as CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, and CVE-2019-1226. There are the first two vulnerabilities that Microsoft calls ‘wormable’, meaning any future malware once exploits could propagate from one vulnerability computer to another without any user interaction.
Director of Incident Response at Microsoft Security Response Centre (MSRC) Simon Pope in a dedicated blog post mentions that the wormable vulnerabilities exist in Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions. However, Windows XP, Windows Server 2003, and Windows Server 2008 aren’t affected. The Remote Desktop Protocol (RDP) also remains unaffected.
“These vulnerabilities were discovered by Microsoft during hardening of Remote Desktop Services as part of our continual focus on strengthening the security of our products,” writes Pope in the blog post. “At this time, we have no evidence that these vulnerabilities were known to any third party.”
Apart from the patches specifically for the RDS component, the latest Windows security release fixes seven remote code execution bugs that affect the Chakra scripting engine. There are also two fixes towards Microsoft’s Hyper-V and two in Word. The release also patches the loophole CVE-2019-1162 in the CTF protocol that was disclosed by Google Project Zero researcher Tavis Ormandy on Tuesday and exists in all Windows versions starting from Windows XP.
Users on all compatible Windows versions are advised to download the latest security release on their systems. You can download the updates available through the new release manually through Microsoft’s Security Update Guide. Moreover, the security updates may have already reached your system if you’ve enabled the automatic updates option.