Microsoft Corporation today released its latest batch of security updates, fixing 59 vulnerabilities, nine of them critical.
Four of the critical flaws consisted of memory corruption bugs that can surface when the Chakra scripting engine handles certain objects in memory in the Microsoft Edge web browser (CVE-2019-1366, CVE-2019-1307, CVE-2019-1308 and CVE-2019-1335). These flaws can be exploited to trigger remote code execution, potentially allowing attackers to install programs, manipulate data or create privileged accounts.
"In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website," Microsoft explains in its multiple advisories. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.
Microsoft also patched a pair of critical VBScript remote code execution vulnerabilities in its other browser, Internet Explorer (CVE-2019-1238 and CVE-2019-1239).
Another critical RCE bug, CVE-2019-1333, can be exploited via the Windows Remote Desktop Client when a user connects to a malicious server. "To exploit this vulnerability, an attacker would need to have control of a server and then convince a user to connect to it," Microsoft explains in its advisory. "An attacker would have no way of forcing a user to connect to the malicious server, they would need to trick the user into connecting via social engineering, DNS poisoning or using a Man in the Middle (MITM) technique. An attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect."
"October is yet another month where enterprises need to worry about remote desktop vulnerabilities," said Richard Melick, senior technical product manager at Automox, in emailed comments. Microsoft's patch of CVE-2019-1333 directly addresses a vulnerability in Remote Desktop Client that would allow an attacker to take full control of a machine, including the ability to manipulate data, files and programs, putting an enterprise’s data and access at risk. Lateral access through a network only requires one compromised machine and with this capability in the hands of an attacker, their actions would be masked longer due to the escalated access."
The remaining two patched critical bugs are CVE-2019-1060, an RCE in XML Score Services' MSXML parser, and CVE-2019-1372, an RCE bug in the Azure App Service.
An remote code execution vulnerability exists when Azure App Service/ Antares on Azure Stack fails to check the length of a buffer prior to copying memory to it. Attackers could exploit the latter bug to perform a sandbox escape.
Other products serviced in Microsoft's latest update include SQL Server Management Studio and Dynamics 365.
"This month's Patch Tuesday is mainly notable in that there isn't a whole lot to note, which is a change of pace. No zero-days, no vulnerabilities that haven’t been publicly disclosed already and nothing that could allow worms to proliferate," said Greg Wiseman, senior security researcher at Rapid7, in emailed comments.