Welcome back to this month’s Patch Tuesday. Microsoft has published its monthly updates, fixing 77 vulnerabilities, 15 of which were rated as “Critical”. The patch also fixes two zero-day security flaws that were actively being exploited in the wild by Russian state-funded hackers. Both vulnerabilities were leveraged to elevate privileges on an already compromised system. In addition to those zero-day vulnerabilities, 6 other vulnerabilities were publicly disclosed prior to patching, but were not exploited in the wild.

Internet Explorer and Edge

As usual, Microsoft’s browsers received their routine fixes. Microsoft has fixed several “Critical” vulnerabilities in the Chakra scripting engine, which could have been leveraged to execute code remotely. To exploit these vulnerabilities, an attacker would have to lure a victim to either a malicious or compromised website and would have privileges equal to that of the current user.

Remote Desktop Protocol

Used by thousands of IT professionals and security researchers worldwide, the Remote Desktop Protocol (RDP) is usually considered a safe and trustworthy application to connect to remote computers. However multiple critical vulnerabilities were fixed this month in RDP. Attackers exploiting these vulnerabilities would be able to execute code on the client from the server, reversing the usual direction of control.

Office

Office received a few fixes this month. Attackers would be able to obtain sensitive information, execute code remotely, spoof interfaces, and conduct cross-site-scripting attack on Office web services. Several of these vulnerabilities are rated as “Critical” by Microsoft. To leverage these vulnerabilities, attackers would have to lure victims into opening malicious documents or be connected to the office web service.

Azure Automation

An elevation of privilege vulnerability was patched in Azure Automation “RunAs account” runbooks for users with contributor role. Users in this role would not typically have access to the Key Vault secrets, but by leveraging this vulnerability they could gain access. To fix this vulnerability, Microsoft is providing scripts for existing RunAsAutomation accounts that modify existing roles by excluding access to the KeyVault.

WCF / WIF SAML Tokens

An authentication bypass vulnerability was fixed in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys. An attacker could impersonate another user by uploading arbitrary symmetric signed keys.