Microsoft patched 79 unique CVEs in this month’s security update round, including two zero-days and three vulnerabilities in Windows which had been publicly disclosed.
The two zero-day vulnerabilities are both elevation-of-privilege flaws: CVE-2019-1215 is in the Winsock component while CVE-2019-1214 exists in the Windows Log Common File System driver. Previous information from Microsoft about the vulnerabilities being "under attack" has now been updated as incorrect by Redmond.
Microsoft also fixed a quartet of critical bugs in its Remote Desktop Client: CVE-2019-0787, CVE-2019-0788, CVE-2019-1290, and CVE-2019-1291. According to Qualys senior director Jimmy Graham, “to exploit these vulnerabilities an attacker would need to get a user to connect to a malicious or compromised RDP server.”
Recorded Future intelligence analyst Allan Liska flagged CVE-2019-1257 for immediate attention. This remote code execution vulnerability affects SharePoint Server 2019, SharePoint Enterprise Server 2016 and SharePoint Foundation 2010 and 2013.
He warned that attackers are often quick to exploit SharePoint bugs.
“SharePoint is a common target for attackers not only because of the sensitivity of the information often contained on SharePoint servers, but because they tend to provide full access to victim networks,” Liska added. “The vulnerability stems from the fact that certain versions of SharePoint do not properly check the source markup of an application package. An attacker can create a specially crafted application package and upload it to the SharePoint server and use the package to execute arbitrary code.”
It was a pretty light patch load for Adobe this month: the firm fixed just two critical vulnerabilities in its Flash Player, which should nevertheless be prioritized on workstations, experts warned.
Ivanti’s director of security solutions, Chris Goettl, explained that Microsoft released service stack updates for all operating systems yesterday, as part of ongoing adjustments to the software update process.
Although service stack updates are rated critical they don’t actually resolve any immediate software flaws, he said.
“They are also not part of the cumulative update chain. Servicing stack updates are a separate update that needs to be installed outside of the normal cumulative or security-only bundle,” Goettle continued.
“This is a critical update to Microsoft’s update system within the OS. This means some changes are coming down the line and there will be a point where you cannot apply the Windows updates on the system if the servicing stack update is not applied.”
He urged system admins to start testing these as soon as possible and have them in place before November.