Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
talosblog[email protected] (Jon Munshaw)TALOSBLOG:C3F889D9C3C954C42160A3C26034C2F6
HistorySep 10, 2019 - 12:12 p.m.

Microsoft Patch Tuesday — Sept. 2019: Vulnerability disclosures and Snort coverage

2019-09-1012:12:34
[email protected] (Jon Munshaw)
feedproxy.google.com
70
JSON

By Jon Munshaw.

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 85 vulnerabilities, 19 of which are rated “critical," 65 that are considered “important” and one “moderate.” There is also a critical advisory relating to the latest update to Adobe Flash Player.

This month’s security update covers security issues in a variety of Microsoft services and software, including the Jet Database Engine and the Hyper-V hypervisor.

Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post here.

Critical vulnerabilities

Microsoft disclosed 19 critical vulnerabilities this month, all of which we will highlight below.

CVE-2019-1291, CVE-2019-1290, CVE-2019-0788 and CVE-2019-0787 are all remote code execution vulnerabilities in Windows Remote Desktop Protocol. An attacker can exploit these bugs by sending a specially crafted request to a client’s RDP software. If successful, the attacker could then gain the ability to execute arbitrary code. These vulnerabilities are pre-authentication and require no user interaction.

CVE-2019-1257, CVE-2019-1296 and CVE-2019-1295 are remote code execution vulnerabilities in Microsoft SharePoint, a document manager and storage system. Some APIs in the software are exposed in unsafe ways, opening them up to exploitation if the user opens a specially crafted file. An attacker could exploit these vulnerabilities to gain the ability to execute code in the context of the SharePoint application pool and SharePoint server farm account.

CVE-2019-0719 and CVE-2019-0721 are remote code execution vulnerabilities in the Windows Hyper-V hypervisor. These bugs arise when the Hyper-V Network Switch on a host server improperly validates input from an authenticated user on a guest operating system. An attacker could exploit these by running a specially crafted application on a guest OS, potentially causing the Hyper-V host OS to execute arbitrary code.

CVE-2019-1138, CVE-2019-1217, CVE-2019-1237, CVE-2019-1298 and CVE-2019-1300 are remote code execution vulnerabilities in Chakra Scripting Engine when the engine attempts to handle objects in memory in the Microsoft Edge web browser. An attacker could exploit these bugs to corrupt memory on the target system, and then gain the ability to execute arbitrary code on the victim machine. A user can only trigger these vulnerabilities by clicking on an attacker-created web site in Microsoft Edge or a malicious ad on another site. CVE-2019-1221 is similar to these vulnerabilities, only it exists in Internet Explorer’s scripting engine.

CVE-2019-1208 and CVE-2019-1236 are remote code executions in the VBScript engine that exist in the way the engine handles objects in memory. An attacker could exploit these vulnerabilities by tricking the user into visiting a specially crafted website on Internet Explorer. Additionally, they could embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that utilizes the Internet Explorer rendering engine.

CVE-2019-1280 is a vulnerability in Microsoft Windows that could allow an attacker to execute arbitrary code if they trick a user into opening a specially crafted .LNK file. If successful, the attacker could gain the same user rights as the local user.

CVE-2019-1306 is a remote code execution vulnerability that exists in Azure DevOps Server and Team Foundation Server when the software improperly validates certain inputs. An attacker could exploit this bug by tricking the user into opening a specially crafted file with a vulnerable version of the .NET Framework or Visual Studio. Additionally, the user could open a malicious attachment in an email. If successful, the attacker could execute code with the same rights as the current user.

Important vulnerabilities

This release also contains 65 important vulnerabilities, five of which we will highlight below.

CVE-2019-1214, CVE-2019-1215 and CVE-2019-1279 are elevation of privilege vulnerabilities in the Windows Common Log File System (CLFS) driver. An attacker could exploit these bugs to run certain processes with elevated rights. An attacker would need to log onto the target system first, and then run a specially crafted application. Information from Microsofts states that malicious users have already exploited these vulnerabilities in the wild.

CVE-2019-1216 and CVE-2019-1219 are vulnerabilities in DirectX that an attacker could exploit to see the contents of Kernel memory on the victim machine, which could allow them to execute additional attacks. These bugs exist in the way DirectX improperly handle objects in memory.

The other important vulnerabilities are:

Moderate vulnerability

There is one moderate vulnerability, CVE-2019-1259, a spoofing vulnerability in Microsoft SharePoint.

Coverage

In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

These rules are: 51436 - 51438, 51445, 51446, 51449 - 51452, 51454 - 51457, 51463 - 51465, 51479 - 51483

Related

nessus 23
kaspersky 6
mskb 24
openvas 19
qualysblog 1
prion 44
cve 44
threatpost 1
thn 1
osv 10
veracode 4
github 5
attackerkb 4
krebs 1
fedora 2
mscve 4
symantec 3
checkpoint_advisories 2
zdi 1
nessus
nessus
KB4512578: Windows 10 Version 1809 and Windows Server 2019 September 2019 Security Update
2019-09-10 00:00:00
KB4516068: Windows 10 Version 1703 September 2019 Security Update
2019-09-10 00:00:00
KB4516066: Windows 10 Version 1709 September 2019 Security Update
2019-09-10 00:00:00
kaspersky
kaspersky
KLA11552 Multiple vulnerabilities in Microsoft Windows
2019-09-10 00:00:00
KLA11555 Multiple vulnerabilities in Microsoft Products (ESU)
2019-09-10 00:00:00
KLA11551 Multiple vulnerability in Microsoft Office
2019-09-10 00:00:00
mskb
mskb
September 10, 2019—KB4516044 (OS Build 14393.3204)
2019-09-10 07:00:00
September 10, 2019—KB4516058 (OS Build 17134.1006)
2019-09-10 07:00:00
September 10, 2019—KB4515384 (OS Build 18362.356)
2019-09-10 07:00:00
openvas
openvas
Microsoft Windows Multiple Vulnerabilities (KB4516058)
2019-09-11 00:00:00
Microsoft Windows Multiple Vulnerabilities (KB4516070)
2019-09-11 00:00:00
Microsoft Windows Multiple Vulnerabilities (KB4515384)
2019-09-11 00:00:00
qualysblog
qualysblog
September Patch Tuesday – 79 Vulns, 17 Critical, Remote Desktop Client, SharePoint, Exploited PrivEsc
2019-09-10 18:00:37
prion
prion
Remote code execution
2019-09-11 22:15:00
Remote code execution
2019-09-11 22:15:00
Remote code execution
2019-09-11 22:15:00
cve
cve
CVE-2019-1243
2019-09-11 22:15:00
CVE-2019-1241
2019-09-11 22:15:00
CVE-2019-1249
2019-09-11 22:15:00
threatpost
threatpost
Microsoft Addresses Two Zero-Days Under Active Attack
2019-09-10 19:54:07
thn
thn
Latest Microsoft Updates Patch 4 Critical Flaws In Windows RDP Client
2019-09-10 18:16:00
osv
osv
CVE-2019-1237
2019-09-11 22:15:15
CVE-2019-1298
2019-09-11 22:15:18
CVE-2019-1217
2019-09-11 22:15:14
veracode
veracode
Remote Code Execution
2019-09-12 07:33:07
Remote Code Execution
2019-09-12 07:45:33
Remote Code Execution
2019-09-12 07:39:59
github
github
Out-of-bounds write
2021-03-29 20:56:08
Out-of-bounds write
2021-03-29 20:56:11
Out-of-bounds write
2021-03-29 20:56:04
attackerkb
attackerkb
CVE-2019-1215
2019-09-11 00:00:00
CVE-2019-1253
2019-09-11 00:00:00
CVE-2019-1303
2019-09-11 00:00:00
krebs
krebs
Patch Tuesday, September 2019 Edition
2019-09-10 20:09:11
fedora
fedora
[SECURITY] Fedora 30 Update: pam-u2f-1.0.8-1.fc30
2019-06-19 22:46:18
[SECURITY] Fedora 29 Update: pam-u2f-1.0.8-1.fc29
2019-08-13 01:59:34
mscve
mscve
Microsoft SharePoint Spoofing Vulnerability
2019-09-10 07:00:00
Active Directory Federation Services XSS Vulnerability
2019-09-10 07:00:00
Windows Audio Service Elevation of Privilege Vulnerability
2019-09-10 07:00:00
symantec
symantec
Microsoft Windows Hyper-V CVE-2019-1254 Local Information Disclosure Vulnerability
2019-09-10 00:00:00
Microsoft Windows Audio Service CVE-2019-1277 Local Privilege Escalation Vulnerability
2019-09-10 00:00:00
Microsoft Windows CVE-2019-1278 Local Privilege Escalation Vulnerability
2019-09-10 00:00:00
checkpoint_advisories
checkpoint_advisories
Microsoft Win32k Elevation of Privilege (CVE-2019-1256)
2019-09-10 00:00:00
Microsoft SharePoint Remote Code Execution (CVE-2019-1295)
2019-09-10 00:00:00
zdi
zdi
Microsoft SharePoint Business Data Connectivity Service Deserialization of Untrusted Data Remote Code Execution Vulnerability
2019-09-10 00:00:00
JSON
Related for TALOSBLOG:C3F889D9C3C954C42160A3C26034C2F6
nessus23kaspersky6mskb24openvas19qualysblog1prion44cve44threatpost1thn1osv10veracode4github5attackerkb4krebs1fedora2mscve4symantec3checkpoint_advisories2zdi1