The October Security Update Review

October 08, 2019 | Dustin Childs

October is here and so are the latest security patches from Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.

Adobe Patches for October 2019

Interestingly, Adobe released no updates today. They did release an unscheduled update for Cold Fusion on September 24, despite not listing any active attacks for the CVEs addressed. It is possible Adobe will release patches later in the month. We will update this blog should that occur.

Microsoft Patches for October 2019

This month, the Microsoft release is on the smaller side, with security patches for 59 CVEs and no new advisories. The updates cover Microsoft Windows, Internet Explorer, Edge (EdgeHTML-based), ChakraCore, Microsoft Office and Microsoft Office Services and Web Apps, SQL Server Management Studio, Microsoft Dynamics 365, Windows Update Assistant and Open Source Software. It’s still odd to see Microsoft patching open source software, but it certainly is a welcome occurrence. Of these 59 CVEs, nine are listed as Critical, 49 are listed as Important, and one is listed as Moderate in severity. Two of these CVEs were reported through the ZDI program. None of the vulnerabilities disclosed today are listed as publicly known or under active attack.

Let’s take a closer look at some of the more interesting patches for this month, starting with an OOB release and re-release:

-       CVE-2019-1367 – Scripting Engine Memory Corruption Vulnerability
This patch was actually released on September 23 to address active attacks reported on IE. However, this initial patch was only available via manual download and wasn’t on Windows Update or Automatic Update. On October 3, they updated and re-released the patch on all platforms. They also noted the updated patch addresses some quality issues introduced by the first patch. It seems the rush to create the update to stop the attacks had a bumpy start, and some reports indicate printing issues continue. If you’re worried about the risk, restricting access to jscript.dll is a good alternative to applying the patch. 

-       CVE-2019-1372 – Azure App Service Remote Code Execution Vulnerability
Although listed as an RCE, you could look at this bug as an Elevation of Privilege (EoP). These bugs rarely get listed as Critical severity, but this one certainly earns its rating. An attacker could use this vulnerability to have an unprivileged function run by a user execute code at the level of System. That provides an attacker a nifty sandbox escape. Microsoft gives this an “Exploitation Less Likely” Exploit Index rating, but if you use the Azure App Service, don’t depend on that and do apply the patch.

-       CVE-2019-1365 – Microsoft IIS Server Elevation of Privilege Vulnerability
It seems certain things tend to repeat themselves, and buffer overflows in IIS certainly fall into that category. This patch corrects this most recent buffer overflow by changing how IIS sanitizes web requests. Similar to the previously mentioned Azure bug, an attacker could use this vulnerability to execute code as System and escape the sandbox. Given the importance of most IIS servers in an enterprise, definitely put this near the top of your test-and-deploy list.

-       CVE-2019-1314 – Windows 10 Mobile Security Feature Bypass Vulnerability
This Security Feature Bypass (SFB) for Windows 10 Mobile takes advantage of a flaw in Cortana that allows an attacker to access files on a device from the lock screen. Obviously, the attacker would need physical access to the device. Although Microsoft details the bug, they aren’t fixing it. Instead, they recommend users of Windows 10 Mobile disable Cortana on the lock screen. If your organization uses devices with this OS, start rounding them up to make the change.

Here’s the full list of CVEs released by Microsoft for October 2019.

CVE Title Severity Public Exploited XI - Latest XI - Older Type
CVE-2019-1060 VBScript Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-1238 VBScript Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-1239 VBScript Remote Code Execution Vulnerability Critical No No 2 N/A RCE
CVE-2019-1307 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2019-1308 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2019-1333 Remote Desktop Client Remote Code Execution Vulnerability Critical No No 1 1 RCE
CVE-2019-1335 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2019-1366 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No N/A 2 RCE
CVE-2019-1372 Azure App Service Elevation of Privilege Vulnerability Critical No No 2 2 EoP
CVE-2019-0608 Microsoft Browser Spoofing Vulnerability Important No No 2 2 Spoof
CVE-2019-1070 Microsoft Office SharePoint XSS Vulnerability Important No No N/A 2 XSS
CVE-2019-1166 Windows NTLM Tampering Vulnerability Important No No 2 2 Tampering
CVE-2019-1230 Hyper-V Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1311 Windows Imaging API Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-1313 SQL Server Management Studio Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1314 Windows 10 Mobile Security Feature Bypass Vulnerability Important No No 2 2 SFB
CVE-2019-1315 Windows Error Reporting Manager Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1316 Microsoft Windows Setup Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1317 Microsoft Windows Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-1318 Microsoft Windows Transport Layer Security Spoofing Vulnerability Important No No 2 2 Spoof
CVE-2019-1319 Windows Error Reporting Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1320 Microsoft Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1321 Microsoft Windows CloudStore Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1322 Microsoft Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1323 Microsoft Windows Update Client Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1326 Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-1327 Microsoft Excel Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-1328 Microsoft SharePoint Spoofing Vulnerability Important No No N/A 2 Spoof
CVE-2019-1329 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No N/A 2 EoP
CVE-2019-1330 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1331 Microsoft Excel Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-1334 Windows Kernel Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1336 Microsoft Windows Update Client Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1337 Windows Update Client Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1338 Windows NTLM Security Feature Bypass Vulnerability Important No No N/A 2 SFB
CVE-2019-1339 Windows Error Reporting Manager Elevation of Privilege Vulnerability Important No No N/A N/A EoP
CVE-2019-1340 Microsoft Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1341 Windows Power Service Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-1342 Windows Error Reporting Manager Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1343 Windows Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-1344 Windows Code Integrity Module Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1345 Windows Kernel Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1346 Windows Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-1347 Windows Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-1356 Microsoft Edge based on Edge HTML Information Disclosure Vulnerability Important No No 2 N/A Info
CVE-2019-1357 Microsoft Browser Spoofing Vulnerability Important No No 2 2 Spoof
CVE-2019-1358 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-1359 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-1361 Microsoft Graphics Components Information Disclosure Vulnerability Important No No N/A 2 Info
CVE-2019-1362 Win32k Elevation of Privilege Vulnerability Important No No N/A 1 EoP
CVE-2019-1363 Windows GDI Information Disclosure Vulnerability Important No No N/A 2 Info
CVE-2019-1364 Win32k Elevation of Privilege Vulnerability Important No No N/A 1 EoP
CVE-2019-1365 Microsoft IIS Server Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1369 Open Enclave SDK Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1371 Internet Explorer Memory Corruption Vulnerability Important No No 2 2 RCE
CVE-2019-1368 Windows Secure Boot Security Feature Bypass Vulnerability Important No No 2 2 SFB
CVE-2019-1375 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability Important No No 2 2 XSS
CVE-2019-1376 SQL Server Management Studio Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1325 Windows Redirected Drive Buffering System Elevation of Privilege Vulnerability Moderate No No 3 2 EoP

Of the other patches, there are a couple more entries to the Blue Bug Group of Remote Desktop vulns, but like last month, these bugs are client side and thus not wormable. The remaining Critical-rated bugs for October all address browse-and-own scenarios in VBScript and Chakra.

There are a few interesting entries in the Important-rated patches, including a tampering bug in NTLM. You don’t see a lot of patches for Tampering bugs, and I have a soft spot for anything packet related. CVE-2019-1166 corrects a vulnerability NTLM that could allow a monster-in-the-middle to bypass the NTLM Message Integrity Check (MIC) and thereby downgrade NTLM security features. If an attacker can tamper with an NTLM exchange, they could modify flags of the NTLM packet without invalidating the signature. While this may be an unlikely scenario, the concept of modifying NTLM packets without invalidating the signature is fascinating (well, at least to me).

This month’s release is mostly focused on EoP bugs. These include patches for the Windows Update Client, which would be disastrous if attackers compromised the automatic update client. However, these bugs are really your typical Local Privilege Escalations (LPE) and not a breakdown of the entire Windows Update service. The Error Reporting Service also has several LPEs fixed this month, which is somewhat ironic.

The “Open Source Software” receiving an update this month comes in the form of the Open Enclave SDK. Microsoft had previously promised to contribute to the open-source project as a part of their Confidential Computing Consortium, and this info disclosure bug appears to be the first patch-related contribution.

This month’s release is rounded out by additional info disclosure bugs, five DoS vulnerabilities, a few spoofing issues, and a patch to address a cross-site scripting (XSS) bug in SharePoint. The servicing stack advisory (ADV990001) was revised for multiple versions of Windows. No new advisories were released this month.

Looking Ahead

The next patch Tuesday falls on November 12, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!