[SingCERT] Microsoft September 2019 Patch Tuesday

Published on 11 Sep 2019

Updated on 23 Oct 2019

[SingCERT] Microsoft September 2019 Patch Tuesday

Background

Microsoft has announced the release of 80 security patches to address vulnerabilities affecting its Operating System (OS) and other related products.
The following vulnerabilities were rated critical and require immediate attention:

Zero-day vulnerabilities

• CVE-2019-1214 - This vulnerability exists in the Windows Common Log File System (CLFS) driver. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code with administrator privileges on the host operating system.

• CVE-2019-1215 - This vulnerability exists in the Winsock2 Integrated File System Layer. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code with administrator privileges on the host operating system.

Critical vulnerabilities

• CVE-2019-0787, CVE-2019-0788, CVE-2019-1290,  CVE-2019-1291 - These vulnerabilities exist in the Windows Remote Desktop Client when a user connects to a malicious server. Successful exploitation of the vulnerabilities could allow an attacker to execute arbitrary code on the host operating system.

• CVE-2019-1235 - This vulnerability exists in the Windows Text Service Framework (TSF) when the TSF server process does not validate the source of input or commands it receives. Successful exploitation of this vulnerability could allow an attacker to inject commands and read inputs sent through a malicious Input Method Editor (IME).

• CVE-2019-1253 - This vulnerability exists when the Windows AppX Deployment Server improperly handles junctions. Successful exploitation of this vulnerability could allow an attacker to run a specially crafted application to elevate privileges.

• CVE-2019-1294 - This vulnerability exists when Windows Secure Boot improperly restricts access to debugging functionality. Successful exploitation of this vulnerability could disclose protected kernel memory.

• CVE-2019-1295, CVE-2019-1296 - This vulnerability exists in Microsoft SharePoint when the Application Process Interfaces (APIs) are not properly protected from unsafe data input. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.

• CVE-2019-1257 - This vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.

• CVE-2019-1298, CVE-2019-1300, CVE-2019-1217, CVE-2019-1237 - This vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the host operating system.

• CVE-2019-1208 - This vulnerability exists in the way that the Virtual Basic Script (VBScript) engine handles objects in memory. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the host operating system.

• CVE-2019-1221 - This vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the host operating system.

• CVE-2019-1280 - This vulnerability exists in Microsoft Windows when a .LNK file is processed. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the host operating system.

• CVE-2019-1306 - This vulnerability exists when Azure DevOps Server (ADO) and Team Foundation Server (TFS) fail to validate input properly. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the server in the context of the TFS or ADO service account.

• ADV990001 - This is a list of the latest servicing stack updates for each operating system. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV990001

• ADV190022 - This is an Adobe Flash security update which addresses CVE-2019-8069 and CVE-2019-8070. It is important to install the latest Adobe Flash update: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190022

For the full list of security updates released by Microsoft, please visit https://portal.msrc.microsoft.com/en-us/security-guidance.

Affected Products

Microsoft’s release contains updates for the following:
• Microsoft Windows
• Internet Explorer
• Microsoft Edge (EdgeHTML-based)
• ChakraCore
• Microsoft Office and Microsoft Office Services and Web Apps
• Adobe Flash Player
• Microsoft Lync
• Visual Studio
• Microsoft Exchange Server
• .NET Framework
• Microsoft Yammer
• .NET Core
• ASP.NET
• Team Foundation Server
• Project Rome

Impact

Successful exploitation of these critical vulnerabilities could allow attackers to perform remote code execution and take control of the affected systems to perform malicious activities, including unauthorised installation of programs, creating rogue administrator accounts and ability to view, change, or delete data.

Recommendation

Users and system administrators of affected products are strongly encouraged to apply the security updates immediately.

References

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/24f46f0a-489c-e911-a994-000d3a33c573
https://www.zdnet.com/article/microsoft-patches-two-zero-days-in-massive-september-2019-patch-tuesday/
https://www.darkreading.com/risk/two-zero-days-fixed-in-microsoft-patch-rollout/d/d-id/1335776
https://www.bleepingcomputer.com/news/microsoft/microsofts-september-2019-patch-tuesday-fixes-79-vulnerabilities/