Patch Tuesday September 2019
This month Microsoft patches two zero-days that could lead to elevation of privileges and more Remote Desktop Protocol bugs.
Windows and Windows Server
This month’s Patch Tuesday cumulative update (CU) for Windows 10 has caused another media storm, with some users experiencing broken search. The problem stems from an issue that started after Microsoft released a fix (KB4512941) for the Visual Basic 6, VBA, and VBScript issues that I reported last month, which saw some users suffer severe CPU spikes caused by the Cortana SearchUI.exe process. A fix arrived in the September CU for Windows 10 (KB4515384) but it appears to have broken the Start menu and Windows Desktop Search. It’s worth noting that this issue only occurs on devices that have disabled searching the web using Windows Desktop Search (WDS).
If you have the default WDS settings, you won’t be affected; and that means most Windows 10 1903 users. So, while it would have been preferable that this issue hadn’t occurred, testing against every perceivable Windows configuration is no easy task. It’s not clear whether Microsoft may again have missed warnings from Windows Insiders in the Feedback Hub. If so, that is less forgivable when the information you need to roll out a quality update is sitting right under your nose.
There are 4 Remote Code Execution (RCE) vulnerabilities patched in the Remote Desktop Protocol (RDP) service this month, both rated critical. A fifth critical fix patches a bug that could allow remote code execution if a .LNK file is processed.
Two zero-day Elevation of Privilege (EoP) bugs (CVE-2019-1214 and CVE-2019-1215) are fixed this month. Zero-day flaws are bugs actively being exploited before a fix is available. As such, you should make sure you get systems updated as quickly as your testing allows. CVE-2019-1214 is a bug in how the Windows Common Log File System (CLFS) driver handles objects in memory and could let an attacker run processes with elevated privileges. CVE-2019-1215 is a problem with how ws2ifsl.sys (Winsock) handles objects in memory and could again let an attacker run processes with elevated privileges. Both the flaws affect all supported versions of Windows. Aside from these two zero-days, there are another 17 fixes for EoP bugs rated important.
IE11 gets three patches to fix a critical issue that could let an attacker run arbitrary code in the context of the logged in user. Again, it’s a problem with the way VBScript handles objects in memory. A security feature bypass vulnerability is patched where Microsoft Browsers don’t validate the correct Security Zone of requests for specific URLs. It could cause a user to access a URL in a less restricted Internet Security Zone than policy dictates.
Office 365 Pro Plus gets four fixes this month, two of which are important RCEs. One in the Windows Jet Database Engine and the second in Microsoft Excel where it fails to properly handle objects in memory. It could let an attacker run arbitrary code in the context of the current user. A bug in how Office handles user input is patched. In a file-sharing attack scenario, it could let an attacker convince a user to open a document, interact with it, and then run arbitrary commands. Finally, an information disclosure vulnerability in Microsoft Excel improperly discloses memory content and an attacker could use the information to compromise the computer or data.
Microsoft Exchange, SharePoint, and SQL Server
A couple of flaws are patched in Exchange this month. A denial of service bug where Exchange fails to properly handle objects in memory, and it could let an attacker launch a denial of service attack. There’s also a spoofing vulnerability when Outlook Web App (OWA) fails to handle web requests properly, potentially allowing an attacker to perform script or content injection attacks, and trick users into disclosing sensitive information.
There are six patches for SharePoint, three of which are critical RCEs. One plugs a flaw where APIs aren’t properly protected from unsafe data input and could let an attacker run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. There are also two EoP patches and a fix for a spoofing problem.
There are no patches for SQL Server.
A patch for Flash Player fixes two arbitrary code execution flaws rated critical (CVE-2019-8070 and CVE-2019-8069).
And that is it until October!