Microsoft patched 59 vulnerabilities yesterday, releasing one advisory for Windows 10 Servicing Stack.
Of the 59 vulnerabilities patched, nine are classified as “critical.” There were no vulnerabilities exploited in the wild this month, nor were any publicly disclosed prior to Patch Tuesday.
Jimmy Graham, senior director of product management at Qualys, said that alongside these patches, a Remote Code Execution vulnerability (CVE-2019-1372) exists in Azure App Service on Azure Stack which escapes the sandbox and can execute malicious code as System. “If you have the Azure App Service deployed to your Azure Stack, this patch should be prioritized,” he said.
Satnam Narang, senior research engineer at Tenable, said: “Two more vulnerabilities in Remote Desktop were patched this month. CVE-2019-1333 is a remote code execution vulnerability in Remote Desktop Client which requires an attacker to convince a user to connect to a malicious server using the Remote Desktop Protocol (RDP), or compromise an existing server and host malicious code on it, while waiting for vulnerable clients to connect.
“CVE-2019-1326 is a denial of service flaw in RDP that would allow an attacker to exploit it by connecting to the server and sending specially crafted requests, causing the RDP service on the vulnerable server to stop responding.
"There is also a pair of Win32k elevation of privilege vulnerabilities (CVE-2019-1362, CVE-2019-1364) caused by a failure in how the Windows kernel-mode driver handles objects in memory. These vulnerabilities require an attacker to have previously compromised a system before they can elevate privileges. Both vulnerabilities affect Windows Server 2008 and Windows 7, which will no longer receive security updates after January 14, 2020."