The September 2019 Security Update Review

September is upon us and with it brings the latest security patches from Microsoft and Adobe. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.  

Adobe Patches for September 2019

Adobe had a small release for September with only two patches covering a total of three CVEs in Adobe Flash and Application Manager. The update for Flash addresses two CVEs, both of which were reported through the ZDI program. The patch corrects a Use-After-Free (UAF) bug and a Same Origin Method Execution bug, both of which are rated Critical in severity. The Application Manager patch fixes an Important-severity DLL hijacking bug.

Neither of these bugs are listed as being publicly known or under active attack at the time of release.

Microsoft Patches for September 2019

This month, Microsoft released security patches for 80 CVEs plus two advisories. The updates cover Microsoft Windows, Internet Explorer, Microsoft Edge, ChakraCore, Office and Microsoft Office Services and Web Apps, Skype for Business and Microsoft Lync, Visual Studio, .NET Framework, Exchange Server, Microsoft Yammer, and Team Foundation Server. Of these 80 CVEs, 17 are listed as Critical, 62 are listed as Important, and one is listed as Moderate in severity. A total of 18 of these CVEs came through the ZDI program. Two of the bugs this month are listed as publicly known at the time of release, and two other bugs are listed as under active attack.

Let’s take a closer look at some of the more interesting patches for this month, starting with the bugs under active attack:

Note: Post-release, Microsoft revised their advisories to indicate these two CVEs are not under active attack.

-       CVE-2019-1215 – Windows Elevation of Privilege Vulnerability
This patch corrects a local privilege escalation (LPE) in the Winsock2 Integrated File System Layer (ws2ifsl.sys). An attacker who exploits this vulnerability could go from User level to Administrator level access. Microsoft reports this is being actively used against both newer and older supported OSes, but they don’t indicate where. Interestingly, this file has been targeted by malware in the past, with some references going back as far as 2007. Not surprising, since malware often targets low-level Windows services. Regardless, since this is being actively used, put this one on the top of your patch list.

-       CVE-2019-1214 – Windows Common Log File System Driver Elevation of Privilege Vulnerability
The other bug under active attack this month is also a Windows LPE, this time in the Common Log File System (CLFS) Driver. Again, an attacker could use this to elevate from a regular user to one with Administrative privileges. According to Microsoft, this CVE is only being seen targeting older operating systems. This is a fine time to remind you that Windows 7 is less than six months from end of support, which means you won’t be getting updates for bugs like this one next February. Patch your systems, then work on your upgrade strategy.

-       CVE-2019-1289 – Windows Update Delivery Optimization Elevation of Privilege Vulnerability
This patch corrects a rather intriguing bug in the Windows Update Delivery Optimization (WUDO) feature found in Windows 10. This component is designed to reduce network bandwidth by having PCs grab updates from other peers on a network that already have downloaded the update. A local attacker could use this vulnerability to overwrite files they would normally not have permissions to. While this clearly could lead to an LPE on the local system, it’s not clear if it could be used to impact other systems through WUDO. If you’re using this feature, definitely roll this patch out quickly or disable the feature entirely.

-        CVE-2019-1257 – Microsoft SharePoint Remote Code Execution Vulnerability
This patch addresses one of three Critical-rated deserialization bugs in the Business Data Connectivity Service of SharePoint. All three were reported by Markus Wulftange through the ZDI program. For this particular case, an attacker could execute their code under the context of the SharePoint application pool identity by uploading a specially crafted SharePoint application package to an affected server. Normally, you would need to authenticate to upload such a package – unless you have enabled anonymous access. But you wouldn’t do that. Would you? We’ll also have more details about these bugs on our blog in the near future. Stay tuned…

Here’s the full list of CVEs released by Microsoft for September 2019.

Of the public patches, one was highly publicized through a blog just after last patch Tuesday. The update closes a hole that could possibly allow attackers to hijack just about any application. Although we haven’t seen this being used in the wild yet, there’s a strong possibility that will happen. The other publicly known issue involves a bypass in the secure boot functionality. It sounds worse than it actually is, as this bug could only allow attackers with physical access to get debugging functionality.

You’ll notice there are Remote Desktop bugs being patched in this release as well, but unlike BlueKeep and DejaBlue, these members of the Blue Bug Group are all client-side. An attacker would need to convince someone to connect to their malicious RDP server or otherwise intercept (MITM) the traffic. It’s good to see these issues patched, but they don’t carry the urgency of the recent wormable bugs.

Of the remaining Critical-rated patches, nine correct browse-and-own scenarios in either a browser or a browser component. In reading these, Microsoft now seems to be referring to older Edge versions as “Microsoft Edge (EdgeHTML-based)” or “Microsoft Edge based on EdgeHTML” in order to distinguish it from Edge based on the Chromium source code.

More interestingly, this is the second month in a row with patch for an LNK vulnerability. Considering the history of exploits using LNK vulnerabilities, including recent malware campaigns using fileless execution and (of course) Stuxnet, these bugs always get attention from attackers.

The final Critical patch for September fixes a bug in the Azure DevOps (ADO) and Team Foundation Server (TFS) that could allow an attacker to execute code on the server in the context of the TFS or ADO service account. An attacker would need permissions to upload a file on a target repo, but if they do, they can achieve code execution once the affected server indexes their file. We’ll have additional details (with video!) about this bug in the near future as well.

Moving on to the Important-rated patches, the first that pops out is a Denial-of-Service (DoS) bug impacting Microsoft Exchange. An attacker could shut down an affected server just by sending it a specially crafted email. No user interaction is required. Neat. There’s also a patch that addresses an Exchange spoofing vulnerability, but that one requires a user to click a link.

Info disclosure bugs get their fair share of attention this month with 16 patches impacting Windows and Office components. There are also three cross-site scripting (XSS) and three spoofing bugs fixed this month to go with the many EoP and RCEs. Rounding out this month’s release, there are a few updates for the JET Database, Office, SharePoint, .NET and ASP.NET, and other various Windows components. 

Looking at the advisories for September, the first is Microsoft’s version of the aforementioned patch for Flash in Internet Explorer. The other is the update to the Windows Servicing Stack, which adds updates for Windows 10 version 1607, Windows Server 2016, Windows 10 version 1809, and Windows Server 2019.

Looking Ahead

The next patch Tuesday falls on October 8, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!