Every now and again, a Microsoft Patch Tuesday update arrives with a bang that sends users scrambling for cover.
Arguably, September 2019’s update earns that description, featuring no fewer than 17 critical flaws (excluding Adobe), plus two zero-day vulnerabilities marked ‘important’ which Microsoft says are being exploited in the wild.
The latter are CVE-2019-1214 and CVE-2019-1215, both elevation of privilege bugs in all versions (7, 8.1, 10, including Servers) of the Windows Common Log File System (CLFS) and ws2ifsl.sys (Winsock), respectively.
Both require local authentication, which means that the exploitation Microsoft is worried about probably depends on being used in conjunction with other vulnerabilities.
But don’t be lulled by the non-critical status – both are dangerous enough to allow an attacker to gain admin privileges. The difference between ‘important’ and ‘critical’ in this context is just the amount of effort required rather than the trouble it could cause.
In addition, two others marked ‘important’, CVE-2019-1235 (Windows Test Service Framework) and CVE-2019-1294 (Secure Boot Bypass) are in the public domain, which means that exploitation is now a possibility.
RDS and all that
The standouts from a total of 80 flaws are, naturally, the criticals. Among these are four client-side flaws in the Remote Desktop, CVE-2019-0787, CVE-2019-0788, CVE-2019-1290, and CVE-2019-1291.
The theme of bugs in Remote Desktop Services (RDS, previously Terminal Services) and Remote Desktop Protocol (RDP) has become a flaw buffet this year (see this summer’s ‘BlueKeep’), but these would be harder to exploit and not wormable. As Microsoft writes:
To exploit this vulnerability, an attacker would need to have control of a server and then convince a user to connect to it.
More likely, an attacker would simply compromise a legitimate server the user already trusts using a known server-side flaw vulnerability and then wait for victims to connect.
Windows shortcut
Another interesting critical flaw is CVE-2019-1280, a remote code execution bug connected to how Windows processes .LNK Windows shortcut files which Microsoft describes as follows:
The attacker could present to the user a removable drive, or remote share, that contains a malicious
.LNKfile and an associated malicious binary.
If this sounds rather familiar, that might be because it’s a type of flaw made famous by CVE-2010-2568, – a key vulnerability exploited by the Stuxnet attacks against Iran in 2010 (the technique was also abused by the ‘Astaroth’ fileless malware in 2018).
Adobe
September 2019 is another modest month for Adobe, featuring only three CVEs that fix two critical bugs in Flash Player (CVE-2019-8069, CVE-2019-8070), and one DLL hijacking flaw rated ‘important’ in Application Manager.
Bonnie Frantzen
Found out august update corrupted my laptop now having to pay to get it fixed never have liked wonders 10.
Mahhn
You shouldn’t have to, but it’s good practice to back up your drive. I like Clonezilla, but there are many great clone apps out there (I haven’t tried windows built in app). If you ever get infected or have hard drive failure, it is a fantastic free (less the spare drive) resource.
Spryte
I remember! That was the one that took 20 hours.
More time wasted waiting for MS to do something.
Paul Mellor
I have no problems with these enormous Patch Tuesdays except when my PC does not restart properly afterwards. This time it crashed saying I had a DRIVER OVERRAN STACK BUFFER. After a hard power off it would not recognize my Google sign in, but after a second power off I was in ok. Overall this does not inspire confidence.