Patch Tuesday: Microsoft Security Bulletin Summary for September 2019.

Microsoft Patch Tuesday, September 2019 released its Patch Tuesday security updates today, revised 80 common vulnerabilities and exposures (CVEs) in the family of Windows operating systems and other products. However, out of these 17 are classified as “Critical“, 61 as “Important”, and 1 as “Moderate“. Therefore, a good Vulnerability Management System can prevent these attacks.

While most of the “Critical” rated vulnerabilities influence the scripting engines and browsers in an assortment of Microsoft products, there are two “zero-day” vulnerabilities that are being actively exploited in the wild by hackers and have caught our eyes. Thus, a Vulnerability Management System can resolve these issues.

• Windows Common Log File System Driver Elevation of Privilege Vulnerability | CVE-2019-1214: Moreover, an elevation of privilege vulnerability exists when Windows Common Log File System (CLFS) driver improperly handles objects in memory. Moreover, to exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control of the affected system and if successful then the attacker could run processes in an elevated context.
• Windows Elevation of Privilege Vulnerability | CVE-2019-1215: An elevation of privilege vulnerability exists in the way that ws2ifsl.sys (Winsock) handles objects in memory. However, to exploit the vulnerability, a locally authenticated attacker could run a specially crafted application and if successful, then the attacker could execute code with elevated privileges.

Microsoft also patched two vulnerabilities that were publicly disclosed before the release:

• Windows Text Service Framework Elevation of Privilege Vulnerability | CVE-2019-1235: An elevation of privilege vulnerability exists in Windows Text Service Framework (TSF) when the TSF server process does not validate the source of input or commands it receives. Hence, to exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control of the affected system if successful then the attacker could inject commands or read input sent through a malicious Input Method Editor (IME). Note: This only affects systems that have installed an IME.
• Windows Secure Boot Security Feature Bypass Vulnerability | CVE-2019-1294: A security feature bypass exists when Windows Secure Boot improperly restricts access to debugging functionality. To exploit the vulnerability, an attacker must gain physical access to the target system before the next system reboots, and on a successful exploit, the attacker could disclose protected kernel memory.

Four Critical vulnerabilities in the Microsoft Remote Desktop Client are also addressed in this Microsoft patch Tuesday (CVE-2019-1290, CVE-2019-1291, CVE-2019-0787, CVE-2019-0788). Indistinct to BlueKeep (CVE-2019-0708) and DejaBlue, disclosed in May and August respectively and discovered by Microsoft’s internal team targeting vulnerable Remote Desktop Servers, these vulnerabilities require an attacker to convince a user via social engineering, DNS poisoning, or Man in the Middle (MITM) attacks to connect to a malicious Remote Desktop server.

Another interesting “Critical” remote code execution vulnerability in Microsoft Patch Tuesday, September 2019 is fixed(CVE-2019-1280) in the way Windows handles link files ending in “.lnk”. A successful exploitation of the vulnerability requires an attacker to present to the user, a removable drive or remote share with a booby-trapped malicious “.lnk” file, and when the user opens this drive or remote share, the malware will be launched on a vulnerable system. However, users with the least privileges on their accounts could be less impacted than users with administrative privileges.

It may be significant that poisoned “.lnk” files were one of the four known exploits bundled with Stuxnet (“a multi-million dollar cyberweapon that American and Israeli intelligence services used to derail Iran’s nuclear enrichment plans roughly a decade ago.”)

Microsoft released patches for 12 more Critical vulnerabilities to address remote code execution attacks that reside in various Microsoft products such as Yammer, Scripting Engine, Chakra Scripting Engine, SharePoint server, VBScript, and Team Foundation Server.

A couple of other important vulnerabilities also lead to remote code execution attacks, while others allow elevation of privilege, cross-site scripting (XSS), security feature bypass, information disclosure, and denial of service attacks.

Along with Microsoft, Adobe also released patches for two Critical vulnerabilities in Flash Player browser plugin (ADV190022) which is packaged in Microsoft’s IE/Edge and Chrome that could lead to arbitrary code execution.

1)Product: Microsoft WindowsCVEs/Advisory : CVE-2019-0787, CVE-2019-0788, CVE-2019-0928, CVE-2019-1214, CVE-2019-1215, CVE-2019-1216, CVE-2019-1219, CVE-2019-1232, CVE-2019-1235, CVE-2019-1240, CVE-2019-1241, CVE-2019-1242, CVE-2019-1243, CVE-2019-1244, CVE-2019-1245, CVE-2019-1246, CVE-2019-1247, CVE-2019-1248, CVE-2019-1249, CVE-2019-1250, CVE-2019-1251, CVE-2019-1252, CVE-2019-1253, CVE-2019-1254, CVE-2019-1256, CVE-2019-1267, CVE-2019-1268, CVE-2019-1269, CVE-2019-1270, CVE-2019-1271, CVE-2019-1272, CVE-2019-1273, CVE-2019-1274, CVE-2019-1277, CVE-2019-1278, CVE-2019-1280, CVE-2019-1282, CVE-2019-1283, CVE-2019-1284, CVE-2019-1285, CVE-2019-1286, CVE-2019-1287, CVE-2019-1289, CVE-2019-1290, CVE-2019-1291, CVE-2019-1292, CVE-2019-1293, CVE-2019-1294, CVE-2019-1303Impact: Denial of Service, Elevation of Privilege, Impact, Information Disclosure, Remote Code Execution, Security Feature Bypass, SpoofingSeverity: CriticalKBs : 4512578, 4515384, 4516026, 4516033, 4516044, 4516051, 4516055, 4516058, 4516062, 4516064, 4516065, 4516066, 4516067, 4516068, 4516070

2)Product : Internet ExplorerCVEs/Advisory : CVE-2019-1208, CVE-2019-1220, CVE-2019-1221, CVE-2019-1236Impact: Remote Code Execution, Security Feature BypassSeverity: CriticalKBs : 4512578, 4515384, 4516026, 4516044, 4516046, 4516055, 4516058, 4516065, 4516066, 4516067, 4516068, 4516070

3)Product: Microsoft Edge (EdgeHTML-based)CVEs/Advisory : CVE-2019-1138, CVE-2019-1217, CVE-2019-1220, CVE-2019-1237, CVE-2019-1298, CVE-2019-1299, CVE-2019-1300Impact : Information Disclosure, Remote Code Execution, Security Feature BypassSeverity : CriticalKBs : 4512578, 4515384, 4516044, 4516058, 4516066, 4516068, 4516070

4)Product : ChakraCoreCVEs/Advisory : CVE-2019-1138, CVE-2019-1217, CVE-2019-1237, CVE-2019-1298, CVE-2019-1300Impact : Remote Code ExecutionSeverity : Critical

5)Product : Microsoft Office and Microsoft Office Services and Web AppsCVEs/Advisory : CVE-2019-1209, CVE-2019-1246, CVE-2019-1257, CVE-2019-1259, CVE-2019-1260, CVE-2019-1261, CVE-2019-1262, CVE-2019-1263, CVE-2019-1264, CVE-2019-1295, CVE-2019-1296, CVE-2019-1297Impact : Elevation of Privilege, Impact, Information Disclosure, Remote Code Execution, Security Feature Bypass, SpoofingSeverity : CriticalKBs : 4461631, 4464548, 4464557, 4464566, 4475566, 4475574, 4475579, 4475583, 4475589, 4475590, 4475591, 4475594, 4475596, 4475599, 4475605, 4475607, 4475611, 4484098, 4484099, 4515509

6)Product : Adobe Flash PlayerCVEs/Advisory : ADV190022Impact : Remote Code ExecutionSeverity : CriticalKBs : 4516115

7)Product : Microsoft LyncCVEs/Advisory : CVE-2019-1209Impact : Information DisclosureSeverity : ImportantKBs : 4515509

8)Product : Visual StudioCVEs/Advisory : CVE-2019-1232Impact : Elevation of PrivilegeSeverity : ImportantKBs : 4513696

9)Product : Microsoft Exchange ServerCVEs/Advisory : CVE-2019-1233, CVE-2019-1266Impact : Denial of Service, SpoofingSeverity : ImportantKBs : 4515832

10)Product : .NET FrameworkCVEs/Advisory :CVE-2019-1142Impact : Elevation of PrivilegeSeverity : ImportantKBs : 4514354, 4514355, 4514356, 4514357, 4514359, 4514598, 4514599, 4514601, 4514603, 4514604, 4516044, 4516058, 4516066, 4516068, 4516070

11)Product : Microsoft YammerCVEs/Advisory : CVE-2019-1265Impact : Security Feature BypassSeverity : Important

12)Product :.NET CoreCVEs/Advisory: CVE-2019-1301Impact : Denial of ServiceSeverity : Important

13)Product : ASP.NETCVEs/Advisory : CVE-2019-1302Impact : Elevation of PrivilegeSeverity : Important

14)Product : Team Foundation ServerCVEs/Advisory : CVE-2019-1305, CVE-2019-1306Impact : Remote Code Execution , SpoofingSeverity : Critical

15)Product : Project RomeCVEs/Advisory : CVE-2019-1231Impact : Information DisclosureSeverity : Important

SecPod Saner detects these vulnerabilities and hence, automatically fixes them by applying security updates. Therefore, download Saner now and keep your systems updated and secure.