October Patch Tuesday: Microsoft fixes critical remote desktop bug

Microsoft fixed 59 vulnerabilities in October’s Patch Tuesday, including several critical remote code execution (RCE) flaws.

One of the most significant was a flaw (CVE-2019-1333) in the company’s Remote Desktop Client that enables a malicious server to gain control of a Windows computer connecting to it. An attacker could accomplish this using social engineering, DNS poisoning, a man-in-the-middle attack, or by compromising a legitimate server, Microsoft warned. Once they compromised the client, they could execute arbitrary code on it.

Another critical RCE vulnerability affected the MS XML parser in Windows 8.1, Windows 10, Windows Server 2012 through 2019, and RT 8.1. An attacker can trigger the CVE-2019-1060 flaw through a malicious website that invokes the parser in a browser.

A memory corruption bug in Edge’s Chakra scripting engine (CVE-2019-1366) also enables a malicious website to trigger RCE, operating at the user’s account privileges, while an RCE vulnerability in Azure Stack, Microsoft’s on-premises extension of its Azure cloud service, escapes the sandbox by running arbitrary code with the NT AUTHORITY\system account.

The company also patched a critical RCE bug in VBScript that lets an attacker corrupt memory and take control of the system, usually by sending an ActiveX control via a website or Office document. Hopefully bugs in VBScript will become less important over time now that the company has deprecated the language.

Other notable bugs ranked important that Microsoft patched this week included a spoofing vulnerability in Microsoft Edge, and an IIS Server elevation of privilege vulnerability (CVE-2019-1365) that could enable an attacker to escape the IIS sandbox with a web request.

There was also a flaw in the Windows Secure Boot feature that would let an attacker expose protected kernel memory by accessing debugging functionality that should be protected. They’d have to get physical access to the machine to take advantage of this bug, labelled CVE-2019-1368.

On-premises users of the Dynamics 365 business finance and operations system should patch the CVE-2019-1375 cross-site scripting bug that lets an attacker hijack user sessions.

Among the dozens of other bugs that Redmond patched this week was an elevation of privilege vulnerability in the Windows Update client. It could allow an attacker to take control of the function that updates the Windows operating system and install, change or delete programs at will. They’d have to be logged into the system first, though.

Also included in the patch were monthly rollups for the CVE-2019-1367 critical memory corruption bug in Internet Explorer that could execute an attacker’s arbitrary code in the current user context. It affects IE 9, 10, and 11. The same monthly rollup features an update for the CVE-2019-1255 bug. We reported both of these last month and the patches have been available since 23 September 2019. However, the initial IE zero-day patch was confusing and caused problems, according to reports.

It was a quiet month for Adobe, with no patches or advisories.