I guess it was inevitable. The Patch Tuesday I’m scrambling to get a hundred things done in two days before traveling is when Microsoft releases an “extra large” slates of fixes.
This is not only a hefty Patch Tuesday; it’s also an important one. Two of the critical updates patch zero-day vulnerabilities. Zero-day attacks target security holes that are exploited in the wild before the vendor can come up with a fix. These two escalation-of-privilege vulnerabilities have already been found to have been exploited, even though doing so requires the attacker first log on to the system and then run a specially crafted application. Unfortunately, these two issues affect all currently supported versions of Windows.
The large number of updates involved this month means applying the patches may take a little longer than usual. The zero-day vulnerabilities aren’t the only ones that are rated critical. It’s essential to test and deploy these patches as soon as possible to protect from attackers or malware that could take control of the system through exploits.
Note that the lists below don’t include Windows 10 v1703, which is coming up on its end of service date for Enterprise and Education editions in October (Home and Pro editions reached end of life in October 2018). Also keep in mind that v1803 Home and Pro versions will reach end of life in November. Enterprise and Education editions will be supported for another year. When Windows 10 devices are at, or within several months of reaching, end of service, Windows Update will begin to automatically initiate a feature update. This keeps those devices supported and receiving the monthly updates that are critical to device security and ecosystem health.
Let’s get right down to business now and look at some of the specifics of this month’s software updates and the vulnerabilities that they address. As always, you can find the details in the Microsoft Response Center’s Security Update Guide on the MSRC website at https://portal.msrc.microsoft.com/en-us/security-guidance.
The following security advisories were released on Patch Tuesday this month:
ADV190022 | September 2019 Adobe Flash Security Update (APSB19-46) for Windows, macOS, Linux and Chrome OS. Addresses two critical vulnerabilities in Adobe Flash: a use-after-free and a same origin method execution issue. Adobe assigned priority level 2.
Operating system, OS components, and web browser updates
As usual, the largest number of vulnerabilities patched are in Windows 10, but all versions of the Windows OS contain the two critical zero-day vulnerabilities mentioned above. Windows 10 versions 1809 and 1903 are getting patches for forty-five vulnerabilities. Windows 10 version 1803 gets forty-six. Five of these are rated critical.
Windows 8.1 fares a little better, with “only” thirty-three vulnerabilities, five of them critical, and Windows 7 comes in with thirty-two total, four of them critical.
On the server side, Windows Server 2019 is looking at updates for forty-three security issues, but only three are critical. Server 2016 will get fixes for thirty-nine, Server 2012 R2 and 2008 R2 get patches for thirty-one, also with three critical in each.
This time, the web browsers receive relatively fewer fixes. Internet Explorer 11 updates address four, three of them critical, and Microsoft Edge gets updates for seven, with five of them rated critical.
Windows 10 and Windows Server 2019
See the following KB articles for information about the issues addressed by the September 10 updates for the various versions of Windows 10:
Windows 10 version 1803 – KB4516058 – Provides protections against a new subclass of speculative execution side-channel vulnerabilities, known as Microarchitectural Data Sampling, for 32-Bit (x86) versions of Windows (CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130). Use the registry settings as described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions and Windows Server OS editions.) Security updates to Internet Explorer, Microsoft Scripting Engine, Windows App Platform and Frameworks, Windows Input and Composition, Windows Media, Windows Fundamentals, Windows Authentication, Windows Cryptography, Windows Datacenter Networking, Windows Storage and Filesystems, the Microsoft JET Database Engine, Windows Kernel, Windows Virtualization, Windows Server, and Microsoft Edge.
Windows 10 version 1809/Windows Server 2019 1809 – KB4512578 – Same protections described above.
Windows 10 version 1903/Windows Server 2019 – KB4515384 – Same protections described above, in addition to an issue that causes high CPU usage from SearchUI.exe for a small number of users. This issue only occurs on devices that have disabled searching the web using Windows Desktop Search.
You can find details about each of the patches in the corresponding KB articles linked to each OS version above. Note that some of the cumulative updates also address non-security issues. This article focuses on the security-related fixes.
Older server and client operating systems
If you’re still using an older supported version of Windows, you’ll still need to be diligent about applying this month’s updates as critical vulnerabilities apply across all versions.
The following security updates apply to previous Windows client and server operating systems:
Windows Server 2008 R2 and Windows 7 and Windows Server 2008 – KB4474419 – This security update was originally issued on March 12, 2019 and was updated September 10, 2019 to include boot manager files to avoid startup failures on versions Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2.
A large number of servicing stack updates were also released for various versions of the client and server operating systems.
A large number of updates were also released for various versions of the .NET Framework.
You can find details about each of the patches in the corresponding KB articles linked to each OS version above.
Note that updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
Microsoft web browsers
The following security updates apply to Microsoft’s web browsers:
Internet Explorer 11 – 4516046 – Cumulative security update for Internet Explorer. This security update resolves several reported vulnerabilities in Internet Explorer. Except for Internet Explorer 11 on Windows Server 2012, the fixes that are included in this Security Update for Internet Explorer (KB4516046) are also included in the September 2019 Security Monthly Quality Rollup. Installing either the Security Update for Internet Explorer or the Security Monthly Quality Rollup installs the fixes that are in this update.
Vulnerabilities in the Edge browser are addressed by Windows 10 operating system updates.
Other Microsoft products and Services
Updates were also released this month for the following software:
Microsoft Office and Microsoft Office Services and Web Apps
Adobe Flash Player
Microsoft Exchange Server
Team Foundation Server
There are a number of known issues with the various updates, so please check out the KB articles listed under “Known Issues” in the August 2019 Release Notes in the Microsoft Security Update Guide portal.
The following are some of the critical vulnerabilities addressed by this month’s updates.
CVE-2019-1214 | Windows Common Log File System Driver Elevation of Privilege Vulnerability – An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system.
CVE-2019-1215 | Windows Elevation of Privilege Vulnerability – An elevation of privilege vulnerability exists in the way that ws2ifsl.sys (Winsock) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated privileges. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.
CVE-2019-0787, CVE-2019-1290 and 2019-1291 | Remote Desktop Client Remote Code Execution Vulnerabilities – A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
CVE-2019-1280 | LNK Remote Code Execution Vulnerability – An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
The following critical VBS and Chakra scripting engine vulnerabilities in IE 11 and Edge are also addressed by these patches:
CVE-2019-1138 – Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2019-1208 – VBScript Remote Code Execution Vulnerability
CVE-2019-1217 – Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2019-1221 – Scripting Engine Memory Corruption Vulnerability
CVE-2019-1236 – VBScript Remote Code Execution Vulnerability
CVE-2019-1237 – Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2019-1298 – Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2019-1300 – Chakra Scripting Engine Memory Corruption Vulnerability