September 2019’s Patch Tuesday: 2 zero-days, 17 critical bugs

Every now and again, a Microsoft Patch Tuesday update arrives with a bang that sends users scrambling for cover.

Arguably, September 2019’s update earns that description, featuring no fewer than 17 critical flaws (excluding Adobe), plus two zero-day vulnerabilities marked ‘important’ which Microsoft says are being exploited in the wild.

The latter are CVE-2019-1214 and CVE-2019-1215, both elevation of privilege bugs in all versions (7, 8.1, 10, including Servers) of the Windows Common Log File System (CLFS) and ws2ifsl.sys (Winsock), respectively.

Both require local authentication, which means that the exploitation Microsoft is worried about probably depends on being used in conjunction with other vulnerabilities.

But don’t be lulled by the non-critical status – both are dangerous enough to allow an attacker to gain admin privileges.  The difference between ‘important’ and ‘critical’ in this context is just the amount of effort required rather than the trouble it could cause.

In addition, two others marked ‘important’, CVE-2019-1235 (Windows Test Service Framework) and CVE-2019-1294 (Secure Boot Bypass) are in the public domain, which means that exploitation is now a possibility.

RDS and all that

The standouts from a total of 80 flaws are, naturally, the criticals. Among these are four client-side flaws in the Remote Desktop, CVE-2019-0787, CVE-2019-0788, CVE-2019-1290, and CVE-2019-1291.

The theme of bugs in Remote Desktop Services (RDS, previously Terminal Services) and Remote Desktop Protocol (RDP) has become a flaw buffet this year (see this summer’s ‘BlueKeep’), but these would be harder to exploit and not wormable. As Microsoft writes:

To exploit this vulnerability, an attacker would need to have control of a server and then convince a user to connect to it.

More likely, an attacker would simply compromise a legitimate server the user already trusts using a known server-side flaw vulnerability and then wait for victims to connect.

Windows shortcut

Another interesting critical flaw is CVE-2019-1280, a remote code execution bug connected to how Windows processes .LNK Windows shortcut files which Microsoft describes as follows:

The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary.

If this sounds rather familiar, that might be because it’s a type of flaw made famous by CVE-2010-2568, – a key vulnerability exploited by the Stuxnet attacks against Iran in 2010 (the technique was also abused by the ‘Astaroth’ fileless malware in 2018).

Adobe

September 2019 is another modest month for Adobe, featuring only three CVEs that fix two critical bugs in Flash Player (CVE-2019-8069, CVE-2019-8070), and one DLL hijacking flaw rated ‘important’ in Application Manager.