11 Sep 2019
Microsoft issued security updates yesterday to plug roughly 80 security issues holes in its Windows operating systems and software. Over 25% of those updates are critical. This is the fourth time this year that Microsoft has had to fix bugs in its Remote Desktop Feature.
Two of the bugs resolved in this month’s patch batch (CVE-2019-1214 and CVE-2019-1215) involve vulnerabilities that have already been exploited and utilize privilege escalation flaws to take over targeted systems. Another patches a critical vulnerability involving the shortcut files that end in “.Ink” extension. “.lnk” files were one of the four known exploits bundled with Stuxnet, the weapon that the U.S. and Israeli intelligence services deployed against Iran years ago. Adobe also fixed two critical bugs in its Flash Player browser plugin.
According to KrebsonSecurity, there “do not appear to be any patch-now-or-be-compromised-tomorrow flaws in the September patch rollup” and users are encouraged to “wait a few days” for any patch glitches to be corrected before applying these fixes. KrebsonSecurity also reminds users to be sure that files are backed up prior to any updates, and for security reasons be sure you are following the 3-2-1 backup rule.