Microsoft’s September Patch Tuesday offering contained 80 updates with 17 being rated critical including taking care of two zero days actively exploited in the wild.
Overall, 57 CVEs were issued for Windows 10 and 29 CVEs for the older Microsoft operating systems and Office and SharePoint also received some updates.
CVE-2019-1214 and CVE-2019-1215 are zero days, but despite initially being reported by Microsoft as under attack, are not being exploited in the wild. The former is a vulnerability in the Common Log File System (CLFS) driver and the fix addresses the vulnerability by correcting how CLFS handles objects in memory. The latter applies to the Winsock driver and the update addresses the vulnerability by ensuring that ws2ifsl.sys properly handles objects in memory. Microsoft noted that to exploit these vulnerabilities an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system.
“These impact all supported versions of Windows, and patching should be prioritized, said Jimmy Graham, Qualys’ senior director of product management.
Satnam Narang, senior research engineer at Tenable, pointed out additional critical issues in Remote Desktop Client that should be at the top of all IT administrators list, CVE-2019-1290, CVE-2019-1291, CVE-2019-0787 and CVE-2019-0788. Microsoft’s revelation of these four issues in Remote Desktop Client follows the release of fixes for BlueKeep in May and DejaBlue in August, but the new flaws are exploited differently.
“Unlike BlueKeep and DejaBlue, where attackers target vulnerable Remote Desktop servers, these vulnerabilities require an attacker to convince a user to connect to a malicious Remote Desktop server. Attackers could also compromise vulnerable servers and host malicious code on them and wait for users to connect to them,” Narang said.
Graham also highlighted CVE-2019-1257, CVE-2019-1295, and CVE-2019-1296 for SharePoint as priorities as one involves uploading a malicious application package, while the other two are deserialization vulnerabilities in the SharePoint API.
Chris Goettl, director of product management, security for Ivanti brought up an issue with the September roll out that fell outside the security area, but are indicative of some upcoming changes that IT admins need be aware.
“A couple of things to note about Servicing Stack Updates. They are rated as critical but are not resolving security vulnerabilities. They are also not part of the cumulative update chain. They are a separate update that needs to be installed outside of the normal cumulative or security only bundle. This is a critical update to Microsoft’s update system within the OS. This means some changes are coming down the line and there will be a point where you cannot update the Windows updates on the system if the Servicing Stack update is not applied,” he said.