Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Patches Over 90 Vulnerabilities With August 2019 Updates

Microsoft’s August 2019 Patch Tuesday updates fix more than 90 vulnerabilities, but none of them have been exploited in attacks or disclosed publicly before the patches were released.

Microsoft’s August 2019 Patch Tuesday updates fix more than 90 vulnerabilities, but none of them have been exploited in attacks or disclosed publicly before the patches were released.

“Microsoft resolved a total of 93 unique CVEs this month, but surprisingly there are NO zero days OR publicly disclosed vulnerabilities! It has been a long time since I remember that happening,” commented Chris Goettl, director of product management for security at Ivanti.

Of all the security holes patched this month, 29 are rated “critical.” They impact Microsoft’s Edge and Internet Explorer web browsers, Windows, Outlook and Office.

According to Trend Micro’s Zero Day Initiative (ZDI), four of the critical flaws, all related to Remote Desktop Services (RDS) and all allowing remote code execution, appear to be wormable. These vulnerabilities are CVE-2019-1181, CVE-2019-1182, CVE-2019-1222 and CVE-2019-1226.

“These four bugs share the same impact and exploit scenarios. An attacker can get code execution at system level by sending a specially crafted pre-authentication RDP packet to an affected RDS server,” ZDI explained in a blog post. “If that sounds familiar to you, then you are probably thinking about the recently patched BlueKeep vulnerability. Clearly, the folks in Redmond thought similar bugs existed in RDP, and these four patches demonstrate that fact. These bugs also receive Microsoft’s highest exploitability ranking, meaning we could likely see multiple RDP exploits circulating in the near future.”

A remote code execution vulnerability affecting the Windows DHCP client (CVE-2019-0736) could also be wormable since exploitation only involves sending specially crafted packets to the client, without the need for user interaction or authentication.

Another interesting vulnerability that has been rated critical is related to .lnk files. ZDI says the bug, tracked as CVE-2019-1188, is similar to one exploited by the notorious Stuxnet malware back in 2010. The flaw can be exploited by getting the targeted user to open a remote network share or by placing a malicious LNK file on a USB drive. Experts say it could be efficient for attacking air-gapped systems.

This month’s patches also address a Bluetooth vulnerability related to encryption key negotiation. The flaw is tracked as CVE-2019-9506 and CERT/CC is also expected to publish an advisory for it with the identifier VU#918987.

“[The vulnerability] requires specialized hardware to exploit but can allow wireless access and disruption within Bluetooth range of the device being attacked,” Goettl explained.

The remaining 64 vulnerabilities have been assigned an “important” severity rating by Microsoft. They impact Windows, Dynamics, SharePoint, Edge, Internet Explorer, Outlook, and the Jet database engine.

Adobe’s Patch Tuesday updates for this month resolve 118 vulnerabilities across eight products, including After Effects, Character Animator, Premiere Pro, Prelude, Creative Cloud, Acrobat and Reader, Experience Manager, and Photoshop.

Related: Microsoft Not Concerned About Disclosed Edge, IE Flaws

Related: Microsoft Pushing for a Passwordless Windows 10

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet