The September 2019 Security Update Review

September 10, 2019 | Dustin Childs

September is upon us and with it brings the latest security patches from Microsoft and Adobe. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.  

Adobe Patches for September 2019

Adobe had a small release for September with only two patches covering a total of three CVEs in Adobe Flash and Application Manager. The update for Flash addresses two CVEs, both of which were reported through the ZDI program. The patch corrects a Use-After-Free (UAF) bug and a Same Origin Method Execution bug, both of which are rated Critical in severity. The Application Manager patch fixes an Important-severity DLL hijacking bug.

Neither of these bugs are listed as being publicly known or under active attack at the time of release.

Microsoft Patches for September 2019

This month, Microsoft released security patches for 80 CVEs plus two advisories. The updates cover Microsoft Windows, Internet Explorer, Microsoft Edge, ChakraCore, Office and Microsoft Office Services and Web Apps, Skype for Business and Microsoft Lync, Visual Studio, .NET Framework, Exchange Server, Microsoft Yammer, and Team Foundation Server. Of these 80 CVEs, 17 are listed as Critical, 62 are listed as Important, and one is listed as Moderate in severity. A total of 18 of these CVEs came through the ZDI program. Two of the bugs this month are listed as publicly known at the time of release, and two other bugs are listed as under active attack.

Let’s take a closer look at some of the more interesting patches for this month, starting with the bugs under active attack:

Note: Post-release, Microsoft revised their advisories to indicate these two CVEs are not under active attack.

-       CVE-2019-1215 – Windows Elevation of Privilege Vulnerability
This patch corrects a local privilege escalation (LPE) in the Winsock2 Integrated File System Layer (ws2ifsl.sys). An attacker who exploits this vulnerability could go from User level to Administrator level access. Microsoft reports this is being actively used against both newer and older supported OSes, but they don’t indicate where. Interestingly, this file has been targeted by malware in the past, with some references going back as far as 2007. Not surprising, since malware often targets low-level Windows services. Regardless, since this is being actively used, put this one on the top of your patch list.

-       CVE-2019-1214 – Windows Common Log File System Driver Elevation of Privilege Vulnerability
The other bug under active attack this month is also a Windows LPE, this time in the Common Log File System (CLFS) Driver. Again, an attacker could use this to elevate from a regular user to one with Administrative privileges. According to Microsoft, this CVE is only being seen targeting older operating systems. This is a fine time to remind you that Windows 7 is less than six months from end of support, which means you won’t be getting updates for bugs like this one next February. Patch your systems, then work on your upgrade strategy.

-       CVE-2019-1289 – Windows Update Delivery Optimization Elevation of Privilege Vulnerability
This patch corrects a rather intriguing bug in the Windows Update Delivery Optimization (WUDO) feature found in Windows 10. This component is designed to reduce network bandwidth by having PCs grab updates from other peers on a network that already have downloaded the update. A local attacker could use this vulnerability to overwrite files they would normally not have permissions to. While this clearly could lead to an LPE on the local system, it’s not clear if it could be used to impact other systems through WUDO. If you’re using this feature, definitely roll this patch out quickly or disable the feature entirely.

-        CVE-2019-1257 – Microsoft SharePoint Remote Code Execution Vulnerability
This patch addresses one of three Critical-rated deserialization bugs in the Business Data Connectivity Service of SharePoint. All three were reported by Markus Wulftange through the ZDI program. For this particular case, an attacker could execute their code under the context of the SharePoint application pool identity by uploading a specially crafted SharePoint application package to an affected server. Normally, you would need to authenticate to upload such a package – unless you have enabled anonymous access. But you wouldn’t do that. Would you? We’ll also have more details about these bugs on our blog in the near future. Stay tuned…

Here’s the full list of CVEs released by Microsoft for September 2019.

CVE Title Severity Public Exploited XI - Latest XI - Older Type
CVE-2019-1214 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important No Yes 3 0 EoP
CVE-2019-1215 Windows Elevation of Privilege Vulnerability Important No Yes 0 0 EoP
CVE-2019-1235 Windows Text Service Framework Elevation of Privilege Vulnerability Important Yes No 2 2 EoP
CVE-2019-1294 Windows Secure Boot Security Feature Bypass Vulnerability Important Yes No 2 2 SFB
CVE-2019-0787 Remote Desktop Client Remote Code Execution Vulnerability Critical No No 1 1 RCE
CVE-2019-0788 Remote Desktop Client Remote Code Execution Vulnerability Critical No No 1 1 RCE
CVE-2019-1138 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2019-1208 VBScript Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-1217 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2019-1221 Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2019-1236 VBScript Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-1237 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 2 2 RCE
CVE-2019-1257 Microsoft SharePoint Remote Code Execution Vulnerability Critical No No 1 1 RCE
CVE-2019-1280 LNK Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-1290 Remote Desktop Client Remote Code Execution Vulnerability Critical No No 1 1 RCE
CVE-2019-1291 Remote Desktop Client Remote Code Execution Vulnerability Critical No No 1 1 RCE
CVE-2019-1295 Microsoft SharePoint Remote Code Execution Vulnerability Critical No No 1 1 RCE
CVE-2019-1296 Microsoft SharePoint Remote Code Execution Vulnerability Critical No No 1 1 RCE
CVE-2019-1298 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2019-1300 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2019-1306 Azure DevOps and Team Foundation Server Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-0928 Windows Hyper-V Denial of Service Vulnerability Important No No N/A 2 DoS
CVE-2019-1142 .NET Framework Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1209 Lync 2013 Information Disclosure Vulnerability Important No No 2 N/A Info
CVE-2019-1216 DirectX Information Disclosure Vulnerability Important No No N/A 1 Info
CVE-2019-1219 Windows Transaction Manager Information Disclosure Vulnerability Important No No 1 1 Info
CVE-2019-1220 Microsoft Browser Security Feature Bypass Vulnerability Important No No 2 2 SFB
CVE-2019-1231 Rome SDK Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1232 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1233 Microsoft Exchange Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-1240 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-1241 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-1242 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-1243 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-1244 DirectWrite Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1245 DirectWrite Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1246 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-1247 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-1248 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-1249 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-1250 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-1251 DirectWrite Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1252 Windows GDI Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1253 Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1254 Windows Hyper-V Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1256 Win32k Elevation of Privilege Vulnerability Important No No 3 1 EoP
CVE-2019-1258 Azure Active Directory Authentication Library Elevation of Privilege Vulnerability Important No No N/A N/A EoP
CVE-2019-1260 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1261 Microsoft SharePoint Spoofing Vulnerability Important No No 2 2 Spoof
CVE-2019-1262 Microsoft Office SharePoint XSS Vulnerability Important No No N/A 2 XSS
CVE-2019-1263 Microsoft Excel Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1264 Microsoft Office Security Feature Bypass Vulnerability Important No No N/A 2 SFB
CVE-2019-1265 Microsoft Yammer Security Feature Bypass Vulnerability Important No No 2 2 SFB
CVE-2019-1266 Microsoft Exchange Spoofing Vulnerability Important No No 2 2 Spoof
CVE-2019-1267 Microsoft Compatibility Appraiser Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1268 Winlogon Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1269 Windows ALPC Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1270 Microsoft Windows Store Installer Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1271 Windows Media Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1272 Windows ALPC Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1273 Active Directory Federation Services XSS Vulnerability Important No No 2 2 XSS
CVE-2019-1274 Windows Kernel Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1277 Windows Audio Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1278 Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1282 Windows Common Log File System Driver Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1283 Microsoft Graphics Components Information Disclosure Vulnerability Important No No N/A 2 Info
CVE-2019-1284 DirectX Elevation of Privilege Vulnerability Important No No N/A 1 EoP
CVE-2019-1285 Win32k Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-1286 Windows GDI Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1287 Windows Network Connectivity Assistant Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1289 Windows Update Delivery Optimization Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1292 Windows Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-1293 Windows SMB Client Driver Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1297 Microsoft Excel Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-1299 Microsoft Edge based on Edge HTML Information Disclosure Vulnerability Important No No 2 N/A Info
CVE-2019-1301 .NET Core Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-1302 ASP.NET Core Elevation Of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1303 Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1305 Team Foundation Server Cross-site Scripting Vulnerability Important No No 2 2 XSS
CVE-2019-1259 Microsoft SharePoint Spoofing Vulnerability Moderate No No N/A 2 Spoof

Of the public patches, one was highly publicized through a blog just after last patch Tuesday. The update closes a hole that could possibly allow attackers to hijack just about any application. Although we haven’t seen this being used in the wild yet, there’s a strong possibility that will happen. The other publicly known issue involves a bypass in the secure boot functionality. It sounds worse than it actually is, as this bug could only allow attackers with physical access to get debugging functionality.

You’ll notice there are Remote Desktop bugs being patched in this release as well, but unlike BlueKeep and DejaBlue, these members of the Blue Bug Group are all client-side. An attacker would need to convince someone to connect to their malicious RDP server or otherwise intercept (MITM) the traffic. It’s good to see these issues patched, but they don’t carry the urgency of the recent wormable bugs.

Of the remaining Critical-rated patches, nine correct browse-and-own scenarios in either a browser or a browser component. In reading these, Microsoft now seems to be referring to older Edge versions as “Microsoft Edge (EdgeHTML-based)” or “Microsoft Edge based on EdgeHTML” in order to distinguish it from Edge based on the Chromium source code.

More interestingly, this is the second month in a row with patch for an LNK vulnerability. Considering the history of exploits using LNK vulnerabilities, including recent malware campaigns using fileless execution and (of course) Stuxnet, these bugs always get attention from attackers.

The final Critical patch for September fixes a bug in the Azure DevOps (ADO) and Team Foundation Server (TFS) that could allow an attacker to execute code on the server in the context of the TFS or ADO service account. An attacker would need permissions to upload a file on a target repo, but if they do, they can achieve code execution once the affected server indexes their file. We’ll have additional details (with video!) about this bug in the near future as well.

Moving on to the Important-rated patches, the first that pops out is a Denial-of-Service (DoS) bug impacting Microsoft Exchange. An attacker could shut down an affected server just by sending it a specially crafted email. No user interaction is required. Neat. There’s also a patch that addresses an Exchange spoofing vulnerability, but that one requires a user to click a link.

Info disclosure bugs get their fair share of attention this month with 16 patches impacting Windows and Office components. There are also three cross-site scripting (XSS) and three spoofing bugs fixed this month to go with the many EoP and RCEs. Rounding out this month’s release, there are a few updates for the JET Database, Office, SharePoint, .NET and ASP.NET, and other various Windows components. 

Looking at the advisories for September, the first is Microsoft’s version of the aforementioned patch for Flash in Internet Explorer. The other is the update to the Windows Servicing Stack, which adds updates for Windows 10 version 1607, Windows Server 2016, Windows 10 version 1809, and Windows Server 2019.

Looking Ahead

The next patch Tuesday falls on October 8, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!