Microsoft fixes critical remote desktop bug – Naked Security


Microsoft fixed 59 vulnerabilities in October’s Patch Tuesday, including several critical remote code execution (RCE) flaws.

One of the most significant was a flaw (CVE-2019-1333) in the company’s Remote Desktop Client that enables a malicious server to gain control of a Windows computer connecting to it. An attacker could accomplish this using social engineering, DNS poisoning, a man-in-the-middle attack, or by compromising a legitimate server, Microsoft warned. Once they compromised the client, they could execute arbitrary code on it.

Another critical RCE vulnerability affected the MS XML parser in Windows 8.1, Windows 10, Windows Server 2012 through 2019, and RT 8.1. An attacker can trigger the CVE-2019-1060 flaw through a malicious website that invokes the parser in a browser.

A memory corruption bug in Edge’s Chakra scripting engine (CVE-2019-1366) also enables a malicious website to trigger RCE, operating at the user’s account privileges, while an RCE vulnerability in Azure Stack, Microsoft’s on-premises extension of its Azure cloud service, escapes the sandbox by running arbitrary code with the NT AUTHORITYsystem account.

The company also patched a critical RCE bug in VBScript that lets an attacker corrupt memory and take control of the system, usually by sending an ActiveX control via a website or Office document. Hopefully bugs in VBScript will become less important over time now that the company has deprecated the language.