The August 2019 Security Update Review

August 13, 2019 | Dustin Childs

August is here and it brings with it the scheduled security patches from Microsoft and Adobe. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.  

Adobe Patches for August 2019

Adobe released eight patches for August covering a total of 119 CVEs, with the largest being for Adobe Acrobat and Reader. The update addresses 76 Important- and Moderate-rated CVEs. A total of 20 of these came through the ZDI program. The majority of these bugs are caused by either an Out-of-Bound (OOB) Read or a Use-After-Free (UAF) condition. There’s also a command injection bug (CVE-2019-8060), however it does not impact the Windows version of Reader.

The patch for Photoshop is also quite large, with 34 CVEs being addressed this month. A total of 17 of these bugs were reported through the ZDI program. The majority of these bugs are rated Critical in severity with heap overflows and OOB Writes leading the way. Adobe Experience Manager receives a patch for a Critical-rated authentication bypass. The Creative Cloud Desktop app has two Important- and two Critical-rated CVEs fixed. The release is rounded out with a quartet of patches for Adobe Prelude, Character Animator, After Effects, and Premier Pro that each get one DLL-hijacking bug fixed.

None of these bugs are listed as being publicly known or under active attack at the time of release.

Microsoft Patches for August 2019

This month, Microsoft released security patches for a whopping 93 CVEs plus two advisories. The updates cover Microsoft Windows, Internet Explorer, Edge, ChakraCore, Microsoft Office and Microsoft Office Services and Web Apps, Azure DevOps Server, Visual Studio, Online Services, and Microsoft Dynamics. Of these 93 CVEs, 29 are rated Critical and 64 are rated Important in severity. A total of 15 of these CVEs came through the ZDI program. None of the bugs addressed this month are listed as publicly known or under active attack at the time of release, however multiple bugs this month fall into the wormable category.

Let’s take a closer look at some of the more interesting patches for this month, starting with the bugs with the potential to end up as worms:

-       CVE-2019-1181 – Remote Desktop Services Remote Code Execution Vulnerability
CVE-2019-1182 – Remote Desktop Services Remote Code Execution Vulnerability
CVE-2019-1222 – Remote Desktop Services Remote Code Execution Vulnerability
CVE-2019-1226 – Remote Desktop Services Remote Code Execution Vulnerability
These four bugs share the same impact and exploit scenarios. An attacker can get code execution at system level by sending a specially crafted pre-authentication RDP packet to an affected RDS server. If that sounds familiar to you, then you are probably thinking about the recently patched “BlueKeep” vulnerability. Clearly, the folks in Redmond thought similar bugs existed in RDP, and these four patches demonstrate that fact. These bugs also receive Microsoft’s highest exploitability ranking, meaning we could likely see multiple RDP exploits circulating in the near future. If you must have an internet-facing RDP server, patch immediately (and reconsider your server placement). 

-       CVE-2019-0736 – Windows DHCP Client Remote Code Execution Vulnerability
This patch corrects a bug in the DHCP client that could allow code execution if an attacker sends a specially crafted packet to an affected client. There’s no user interaction or authentication involved, so this CVE is also theoretically wormable. Every supported Microsoft OS is impacted by this bug, so an exploit would have a broad selection of targets.

-       CVE-2019-1188 – LNK Remote Code Execution Vulnerability
I can’t see an LNK vulnerability without thinking about Stuxnet and how the 2010 patch could be circumvented. This bug is similar. An attacker could use this vulnerability to get code execution by having an affected system process a specially crafted .LNK file. This could be done by convincing a user to open a remote share, or – as has been seen in the past – placing the .LNK file on a USB drive and having the user open it. It’s a handy way to exploit an air-gapped system.

-       CVE-2019-1201 – Microsoft Word Remote Code Execution Vulnerability
Most Word patches are rated Important in severity, but this one is listed as Critical. Typically, user interaction is required, meaning someone needs to actually open a crafted Word document. For this bug, that’s not the case. The Outlook Preview Pane is an attack vector, so it’s possible to get code execution using this bug without user interaction. Considering the ubiquity of Word and Outlook, this should definitely be near the top of your test and deployment list.

-       CVE-2019-9506 - Encryption Key Negotiation of Bluetooth Vulnerability
There is a key negotiation vulnerability in Bluetooth Classic that could allow an attacker to negotiate the offered key length down to 1 byte of entropy, from a maximum of 16 bytes. The attacker would need to be within Bluetooth range to do this. This is an interesting case, as you can’t just apply a patch. Instead, you need to apply the update then enable the registry key that then enforces a default 7-octet minimum key length. If you rely on older Bluetooth devices, make sure you complete all the steps listed in the KB article. CERT/CC has this listed as VU#918987.

Here’s the full list of CVEs released by Microsoft for August 2019.

CVE Title Severity Public Exploited XI - Latest XI - Older Type
CVE-2019-1131 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2019-1139 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2019-1140 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2019-1141 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2019-1195 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2019-1196 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2019-1197 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2019-0720 Hyper-V Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-1188 LNK Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-1144 Microsoft Graphics Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-1145 Microsoft Graphics Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-1149 Microsoft Graphics Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-1150 Microsoft Graphics Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-1151 Microsoft Graphics Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-1152 Microsoft Graphics Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-1199 Microsoft Outlook Memory Corruption Vulnerability Critical No No 1 1 RCE
CVE-2019-1200 Microsoft Outlook Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-1201 Microsoft Word Remote Code Execution Vulnerability Critical No No 1 1 RCE
CVE-2019-1205 Microsoft Word Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-1181 Remote Desktop Services Remote Code Execution Vulnerability Critical No No 1 1 RCE
CVE-2019-1182 Remote Desktop Services Remote Code Execution Vulnerability Critical No No 1 1 RCE
CVE-2019-1222 Remote Desktop Services Remote Code Execution Vulnerability Critical No No 1 N/A RCE
CVE-2019-1226 Remote Desktop Services Remote Code Execution Vulnerability Critical No No 1 N/A RCE
CVE-2019-1133 Scripting Engine Memory Corruption Vulnerability Critical No No 2 2 RCE
CVE-2019-1194 Scripting Engine Memory Corruption Vulnerability Critical No No 2 2 RCE
CVE-2019-0736 Windows DHCP Client Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-1213 Windows DHCP Server Remote Code Execution Vulnerability Critical No No N/A 2 RCE
CVE-2019-0965 Windows Hyper-V Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-1183 Windows VBScript Engine Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-9511 HTTP/2 Server Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-9512 HTTP/2 Server Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-9513 HTTP/2 Server Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-9514 HTTP/2 Server Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-9518 HTTP/2 Server Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-0716 Windows Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-1206 Windows DHCP Server Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-1212 Windows DHCP Server Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-0714 Windows Hyper-V Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-0715 Windows Hyper-V Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-0717 Windows Hyper-V Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-0718 Windows Hyper-V Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-0723 Windows Hyper-V Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-1223 Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability Important No No 1 N/A DoS
CVE-2019-1187 XmlLite Runtime Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-1176 DirectX Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1229 Dynamics On-Premise Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1211 Git for Visual Studio Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1161 Microsoft Defender Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1204 Microsoft Outlook Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-1198 Microsoft Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1168 Microsoft Windows p2pimsvc Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1169 Win32k Elevation of Privilege Vulnerability Important No No N/A 1 EoP
CVE-2019-1162 Windows ALPC Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1173 Windows Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-1174 Windows Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-1175 Windows Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-1177 Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1178 Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1179 Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1180 Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1184 Windows Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-1186 Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1190 Windows Image Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1159 Windows Kernel Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-1164 Windows Kernel Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-1170 Windows NTFS Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-1185 Windows Subsystem for Linux Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1030 Microsoft Edge Information Disclosure Vulnerability Important No No 2 N/A Info
CVE-2019-1078 Microsoft Graphics Component Information Disclosure Vulnerability Important No No 1 1 Info
CVE-2019-1148 Microsoft Graphics Component Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1153 Microsoft Graphics Component Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1202 Microsoft SharePoint Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1224 Remote Desktop Protocol Server Information Disclosure Vulnerability Important No No 1 N/A Info
CVE-2019-1225 Remote Desktop Protocol Server Information Disclosure Vulnerability Important No No 1 N/A Info
CVE-2019-1171 SymCrypt Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1143 Windows Graphics Component Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1154 Windows Graphics Component Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1158 Windows Graphics Component Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1172 Windows Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1227 Windows Kernel Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1228 Windows Kernel Information Disclosure Vulnerability Important No No N/A 2 Info
CVE-2019-1146 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-1147 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-1155 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-1156 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-1157 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-1193 Microsoft Browser Memory Corruption Vulnerability Important No No 2 2 RCE
CVE-2019-1057 MS XML Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-1192 Microsoft Browsers Security Feature Bypass Vulnerability Important No No 1 1 SFB
CVE-2019-1163 Windows File Signature Security Feature Bypass Vulnerability Important No No 2 2 SFB
CVE-2019-1218 Outlook iOS Spoofing Vulnerability Important No No N/A N/A Spoof
CVE-2019-9506 Encryption Key Negotiation of Bluetooth Vulnerability Important No No 2 2 Tampering
CVE-2019-1203 Microsoft Office SharePoint XSS Vulnerability Important No No 2 2 XSS

In addition to these, there’s also a DHCP server RCE that could be wormable, but only between DHCP servers. There are also several additional RDP bugs getting fixes, but these vulnerabilities are info disclosure and denial of service (DoS) rather than code execution.

Looking at the other Critical-rated patches, the two Hyper-V bugs definitely stand out. Both could allow an attack on a guest OS to execute code on the underlying host OS. Fonts make their return to getting patches, this time through the Microsoft Graphics Component. Viewing a specially crafted embedded font on an affected system would get code execution at the level of the logged on user. There are additional patches similar to the Word bug previously discussed. Since Preview Pane is an attack vector for these bugs, there’s a good chance malware authors will seek to include these in future attacks. Ten different browser related patches round out the Critical updates for August. In each case, code execution could be achieved by browsing to a malicious website.

Moving to the Important-rated cases, there are 15 different DoS bugs getting fixes this month. The ones affecting Hyper-V cause the most concern as they would allow a guest OS user to shut down the host OS. Two patches fix bugs in the DHCP server that could shut down the server through specially crafted packets. Similarly, multiple patches fix DoS vulnerabilities in the HTTP/2 protocol stack. If you have the HTTP/2 protocol stack enabled but don’t require it, this can be disabled via the registry to prevent attacks as well. There’s also a patch for the XmlLite runtime to prevent a DoS against XML applications.

Information disclosure issues also get 15 patches this month, with most of those affecting the Graphics component, RDP, and the kernel. The SymCrypt crypto library gets a patch for an info disclosure bug that occurs during the Optimal Asymmetric Encryption Padding (OAEP) decryption stage. An attacker would need to log on to an affected system to exploit this, but if they could, they would be able to read the contents of OAEP decrypt from a user-mode process.

Other notable patches this month include an update for Windows Defender. Most people will not need to take any action as the engine updates itself. Git for Visual Studio receives its first patch for a privilege escalation vulnerability, although the exploit scenario is rather complex. An authenticated attacker would need to modify Git configuration files on a system prior to a full installation of the application. The attacker would then need to convince another user on the system to execute specific Git commands. There’s also a privilege escalation in the Windows Subsystem for Linux. This has a more straightforward attack scenario with a local user running a specially crafted application.

Rounding out this month’s release, there are a few updates for the JET Database, Office, SharePoint, and other various Windows components. 

There are two news advisories for August. The first provides guidance for Enabling LDAP Channel Binding and LDAP Signing. These can increase the level of communication security between an Active Directory Domain Controller and its clients. The other advisory details a privilege escalation in Microsoft Live Accounts. However, this has already been mitigated and no further action is required.

Looking Ahead

The next patch Tuesday falls on September 10, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!