Microsoft issued the September 2019 Security Updates that include 79 unique vulnerability fixes, 17 of those rated critical. In addition, two of the patches address two 0-day Privileged Escalation vulnerabilities CVE-2019-1214 and CVE-2019-1215.
The updates address vulnerabilities in multiple Microsoft products to include:
- .NET Core
- NET Framework
- Adobe Flash Player
- ASP.NET
- ChakraCore
- Internet Explorer
- Microsoft Edge (EdgeHTML-based)
- Microsoft Exchange Server
- Microsoft Lync
- Microsoft Office and Microsoft Office Services and Web Apps
- Microsoft Windows
- Microsoft Yammer
- Project Rome
- Team Foundation Server
- Visual Studio
Microsoft has provided patches for the vulnerabilities for each of the CVEs summarized in the September 2019 Security Updates Release Notes.
Privileged Escalation 0-days
The two privileged escalation issues include a vulnerability CVE-2019-1214 in the Common Log File System (CLFS) driver and vulnerability CVE-2019-1215 in the Winsock driver. Each are being exploited in the wild and rated Important.
Microsoft says exploitation of each of these vulnerabilities are more likely. In addition, these issues could allow an attacker to execute code (or run processes) with elevated privileges.
Remote Desktop Client vulnerabilities
Microsoft also patched four critical remote code execution (RCE) vulnerabilities (CVE-2019-0787, CVE-2019-0788, CVE-2019-1290 and CVE-2019-1291) that impact the Windows Remote Desktop Client.
Microsoft warned how an attacker could exploit each of the four RCE vulnerabilities:
“To exploit this vulnerability, an attacker would need to have control of a server and then convince a user to connect to it. An attacker would have no way of forcing a user to connect to the malicious server, they would need to trick the user into connecting via social engineering, DNS poisoning or using a Man in the Middle (MITM) technique. An attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect.”
SharePoint RCE vulnerabilities
Microsoft also fixed three RCE vulnerabilities (CVE-2019-1257, CVE-2019-1295, and CVE-2019-1296) in SharePoint server.
The first of the three RCE bugs exists when SharePoint software fails to check the source markup of an application package. The other two impact SharePoint APIs.
Azure DevOps and TFS RCE vulnerabilities
Microsoft also released updates for another critical RCE bug CVE-2019-1306 that impacts Azure DevOps Server and Team Foundation Server (TFS).
An attacker could exploit this vulnerability and then execute code on the server in the context of the TFS or ADO service account.
Summary of Critical vulnerabilities
In summary, 17 critical vulnerabilities were fixed and all are RCE:
- CVE-2019-0787
- CVE-2019-0788
- CVE-2019-1138
- CVE-2019-1208
- CVE-2019-1217
- CVE-2019-1221
- CVE-2019-1236
- CVE-2019-1237
- CVE-2019-1257
- CVE-2019-1280
- CVE-2019-1290
- CVE-2019-1291
- CVE-2019-1295
- CVE-2019-1296
- CVE-2019-1298
- CVE-2019-1300
- CVE-2019-1306
Adobe Flash Player update
Adobe also released this week a security update (APSB19-46) for Adobe Flash Player for Windows, macOS, Linux and Chrome OS.
The update fixes two critical vulnerabilities (CVE-2019-8069 and CVE-2019-8070) that could result in Arbitrary Code Execution.
Intel updates
Finally, Intel also released a pair of security updates this week.
The first update addresses a vulnerability CVE-2019-11184 in some microprocessors with Intel Data Direct I/O Technology and Remote Direct Memory Access (RDMA) and may allow partial information disclosure via adjacent access.
The second update fixes a vulnerability CVE-2019-11166 in Intel Easy Streaming Wizard software that may allow escalation of privileges.