Lucene search

talosblog[email protected] (Jon Munshaw)TALOSBLOG:C3F889D9C3C954C42160A3C26034C2F6
HistorySep 10, 2019 - 12:12 p.m.

Microsoft Patch Tuesday — Sept. 2019: Vulnerability disclosures and Snort coverage

[email protected] (Jon Munshaw)





By Jon Munshaw.

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 85 vulnerabilities, 19 of which are rated “critical," 65 that are considered “important” and one “moderate.” There is also a critical advisory relating to the latest update to Adobe Flash Player.

This month’s security update covers security issues in a variety of Microsoft services and software, including the Jet Database Engine and the Hyper-V hypervisor.

Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post here.

Critical vulnerabilities

Microsoft disclosed 19 critical vulnerabilities this month, all of which we will highlight below.

CVE-2019-1291, CVE-2019-1290, CVE-2019-0788 and CVE-2019-0787 are all remote code execution vulnerabilities in Windows Remote Desktop Protocol. An attacker can exploit these bugs by sending a specially crafted request to a client’s RDP software. If successful, the attacker could then gain the ability to execute arbitrary code. These vulnerabilities are pre-authentication and require no user interaction.

CVE-2019-1257, CVE-2019-1296 and CVE-2019-1295 are remote code execution vulnerabilities in Microsoft SharePoint, a document manager and storage system. Some APIs in the software are exposed in unsafe ways, opening them up to exploitation if the user opens a specially crafted file. An attacker could exploit these vulnerabilities to gain the ability to execute code in the context of the SharePoint application pool and SharePoint server farm account.

CVE-2019-0719 and CVE-2019-0721 are remote code execution vulnerabilities in the Windows Hyper-V hypervisor. These bugs arise when the Hyper-V Network Switch on a host server improperly validates input from an authenticated user on a guest operating system. An attacker could exploit these by running a specially crafted application on a guest OS, potentially causing the Hyper-V host OS to execute arbitrary code.

CVE-2019-1138, CVE-2019-1217, CVE-2019-1237, CVE-2019-1298 and CVE-2019-1300 are remote code execution vulnerabilities in Chakra Scripting Engine when the engine attempts to handle objects in memory in the Microsoft Edge web browser. An attacker could exploit these bugs to corrupt memory on the target system, and then gain the ability to execute arbitrary code on the victim machine. A user can only trigger these vulnerabilities by clicking on an attacker-created web site in Microsoft Edge or a malicious ad on another site. CVE-2019-1221 is similar to these vulnerabilities, only it exists in Internet Explorer’s scripting engine.

CVE-2019-1208 and CVE-2019-1236 are remote code executions in the VBScript engine that exist in the way the engine handles objects in memory. An attacker could exploit these vulnerabilities by tricking the user into visiting a specially crafted website on Internet Explorer. Additionally, they could embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that utilizes the Internet Explorer rendering engine.

CVE-2019-1280 is a vulnerability in Microsoft Windows that could allow an attacker to execute arbitrary code if they trick a user into opening a specially crafted .LNK file. If successful, the attacker could gain the same user rights as the local user.

CVE-2019-1306 is a remote code execution vulnerability that exists in Azure DevOps Server and Team Foundation Server when the software improperly validates certain inputs. An attacker could exploit this bug by tricking the user into opening a specially crafted file with a vulnerable version of the .NET Framework or Visual Studio. Additionally, the user could open a malicious attachment in an email. If successful, the attacker could execute code with the same rights as the current user.

Important vulnerabilities

This release also contains 65 important vulnerabilities, five of which we will highlight below.

CVE-2019-1214, CVE-2019-1215 and CVE-2019-1279 are elevation of privilege vulnerabilities in the Windows Common Log File System (CLFS) driver. An attacker could exploit these bugs to run certain processes with elevated rights. An attacker would need to log onto the target system first, and then run a specially crafted application. Information from Microsofts states that malicious users have already exploited these vulnerabilities in the wild.

CVE-2019-1216 and CVE-2019-1219 are vulnerabilities in DirectX that an attacker could exploit to see the contents of Kernel memory on the victim machine, which could allow them to execute additional attacks. These bugs exist in the way DirectX improperly handle objects in memory.

The other important vulnerabilities are:

Moderate vulnerability

There is one moderate vulnerability, CVE-2019-1259, a spoofing vulnerability in Microsoft SharePoint.


In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on

These rules are: 51436 - 51438, 51445, 51446, 51449 - 51452, 51454 - 51457, 51463 - 51465, 51479 - 51483