September 2019 Patch Tuesday: Microsoft plugs two actively exploited zero-days

For the September 2019 Patch Tuesday, Microsoft delivered fixes for 80 CVE-numbered security issues (including to actively exploited zero-days), Adobe fixed flaws in Flash Player and Application Manager, and Intel offered solutions and mitigations for two security holes, one of which could allow a side-channel attack aimed at acquiring sensitive data (e.g., keystrokes in a SSH session).

September 2019 Patch Tuesday

Microsoft’s patches

Let’s start with the zero-days exploited in the wild.

CVE-2019-1214 is an elevation of privilege vulnerability in the Windows Common Log File System (CLFS) Driver. CVE-2019-1215 is an elevation of privilege vulnerability in the Winsock IFS Driver (ws2ifsl.sys).

“Both flaws exist due to improper handling of objects in memory by the respective drivers,” says Satnam Narang, senior research engineer at Tenable, and points out that attackers must first gain access to a system before taking advantage of them.

Microsoft reports CVE-2019-1215 being used against both newer and older supported OSes, while CVE-2019-1214 is only being used against older ones.

“This is a fine time to remind you that Windows 7 is less than six months from end of support, which means you won’t be getting updates for bugs like this one next February,” says Trend Micro ZDI’s Dustin Childs, and advises: “Patch your systems, then work on your upgrade strategy.”

(Windows Server 2008 R2 will also be out of extended support and no longer receiving updates as of January 14, 2020.)

Other fixed vulnerabilities of note:

CVE-2019-1257, CVE-2019-1295, and CVE-2019-1296 – RCE flaws in Sharepoint, patches for which should be prioritized for SharePoint servers.

CVE-2019-0787, CVE-2019-0788, CVE-2019-1290, and CVE-2019-1291 – RCEs in the Remote Desktop Client (RDP). They were discovered by Microsoft as a result of internal vulnerability testing against the Remote Desktop Client, which was spurred by the attention the BlueKeep and DejaBlue (CVE-2019-1181 and CVE-2019-1182) RDP vulnerabilities got.

As Childs noted, these are all client-side and an attacker would need to convince someone to connect to their malicious RDP server or otherwise intercept the traffic. “It’s good to see these issues patched, but they don’t carry the urgency of the recent wormable bugs,” he added.

Jimmy Graham, Senior Director of Product Management at Qualys, advises prioritizing Scripting Engine, Browser, and LNK patches for workstations, and the patch for CVE-2019-1306 – a RCE in Azure DevOps Server and Team Foundations Server that can be exploited through malicious file uploads – for Azure DevOps or TFS installations.

As usual, SANS ISC handler Renato Marinho has compiled a handy dashboard covering all the fixed flaws.

Adobe’s patches

After an hefty August Patch Tuesday, Adobe has followed with an extremely light one.

The Flash Player updates (for Windows, macOS, Linux and Chrome OS) are more important, as they address two critical CVEs that could lead to to arbitrary code execution in the context of the current user.

The security update for Application Manager is only for the Windows version and fixes an insecure library loading vulnerability that could lead to arbitrary code execution.

Intel’s patches

Intel has fixed a medium severity privilege escalation flaw in the Intel Easy Streaming Wizard software and has offered recommendations for mitigating the risk of exploitation of CVE-2019-11184, “a race condition in specific microprocessors using Intel (R) DDIO cache allocation and RDMA may allow an authenticated user to potentially enable partial information disclosure via adjacent access.”

The vulnerability was discovered and flagged by VUSec researchers (VUSec is the Systems and Network Security Group at Vrije Universiteit Amsterdam) and is crucial for pulling off a set of cache attacks they dubbed NetCAT. Intel deems the vulnerability to be of low severity as it’s not easily exploited.

UPDATE: September 13, 11:25 PM PT – Microsoft reached out to say that their previous information about the CVEs being “under attack” is incorrect:

CVE-2019-1214 and CVE-2019-1215 were initially marked incorrectly as under attack. This designation has since been updated in the advisories: CVE-2019-1214, CVE-2019-1215.