20-Year-Old Unpatched Flaw and Critical Vulnerabilities Revealed
Unlike BlueKeep, which affected only the older and unsupported Windows operating systems, the bugs recently disclosed in Microsoft’s August 2019 Patch Tuesday release affect newer versions: specifically Windows 7, 8, 8.1, and 10, as well as Server 2008, 2012, 2016, and even 2019. As of last month, the BlueKeep vulnerability may still be outstanding in just less than 1 million legacy devices. The new bugs brought to light in August can affect nearly 1 billion devices worldwide, since Windows 10 alone is being utilized on more than 700 million devices.
The bugs (CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, and CVE-2019-1226) essentially make it possible for unauthenticated attackers to execute malicious code by sending a specially crafted message when Network Level Authentication (NLA) is switched off, as it is commonly done in enterprise networks. This paves the way for other potential malware events such as ransomware.
Additionally, a 20-year-old vulnerability (CVE-2019-1162) was discovered for the legacy operating systems, but also has a patch available. This vulnerability is described as “a privilege escalation vulnerability when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system.”
Back in June, the National Security Agency issued an urgent advisory to all Windows-based administrators, as well as users, to ensure they’re fully-patched and secure. This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability.
For example, the vulnerability could be exploited to conduct denial of service attacks. It is likely only a matter of time before remote exploitation code is widely available for this vulnerability. NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.” It’s safe to assume that the NSA will be releasing additional advisories shortly.
“These vulnerabilities include all of the latest versions of Windows, as well as the maturing versions,” stated Jon Cassell, Senior Solutions Architect for Verismic Software, Inc. “Consumers and organizations alike will need to prioritize the latest patches from Microsoft to ensure that these ‘wormable’ defects are remediated as soon as possible.”