The October Security Update Review
October 08, 2019 | Dustin ChildsOctober is here and so are the latest security patches from Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.
Adobe Patches for October 2019
Interestingly, Adobe released no updates today. They did release an unscheduled update for Cold Fusion on September 24, despite not listing any active attacks for the CVEs addressed. It is possible Adobe will release patches later in the month. We will update this blog should that occur.
Edit on October 15
On October 15, Adobe released four patches covering Adobe Acrobat and Reader, Download Manager, Experience Manager, and Experience Manager Forms. The update for Reader is by far the largest, with 68 CVEs addressed. A total of 32 of these CVES came through the ZDI program. While definitely a Critical update, it does not appear that any of the CVEs are under attack. The update for Experience Manager has a dozen CVEs addressed while Experience Manager Forms only has a single, Moderate-rated CVE. The update for the Adobe Download Manager also only has a single CVE, but this one is rated Important. It’s not clear why Adobe waited for an extra week prior to releasing these patches, but none are listed as publicly known or under active attack at the time of release.
Microsoft Patches for October 2019
This month, the Microsoft release is on the smaller side, with security patches for 59 CVEs and no new advisories. The updates cover Microsoft Windows, Internet Explorer, Edge (EdgeHTML-based), ChakraCore, Microsoft Office and Microsoft Office Services and Web Apps, SQL Server Management Studio, Microsoft Dynamics 365, Windows Update Assistant and Open Source Software. It’s still odd to see Microsoft patching open source software, but it certainly is a welcome occurrence. Of these 59 CVEs, nine are listed as Critical, 49 are listed as Important, and one is listed as Moderate in severity. Two of these CVEs were reported through the ZDI program. None of the vulnerabilities disclosed today are listed as publicly known or under active attack.
Let’s take a closer look at some of the more interesting patches for this month, starting with an OOB release and re-release:
- CVE-2019-1367 – Scripting Engine Memory Corruption Vulnerability
This patch was actually released on September 23 to address active attacks reported on IE. However, this initial patch was only available via manual download and wasn’t on Windows Update or Automatic Update. On October 3, they updated and re-released the patch on all platforms. They also noted the updated patch addresses some quality issues introduced by the first patch. It seems the rush to create the update to stop the attacks had a bumpy start, and some reports indicate printing issues continue. If you’re worried about the risk, restricting access to jscript.dll is a good alternative to applying the patch.
- CVE-2019-1372 – Azure App Service Remote Code Execution Vulnerability
Although listed as an RCE, you could look at this bug as an Elevation of Privilege (EoP). These bugs rarely get listed as Critical severity, but this one certainly earns its rating. An attacker could use this vulnerability to have an unprivileged function run by a user execute code at the level of System. That provides an attacker a nifty sandbox escape. Microsoft gives this an “Exploitation Less Likely” Exploit Index rating, but if you use the Azure App Service, don’t depend on that and do apply the patch.
- CVE-2019-1365 – Microsoft IIS Server Elevation of Privilege Vulnerability
It seems certain things tend to repeat themselves, and buffer overflows in IIS certainly fall into that category. This patch corrects this most recent buffer overflow by changing how IIS sanitizes web requests. Similar to the previously mentioned Azure bug, an attacker could use this vulnerability to execute code as System and escape the sandbox. Given the importance of most IIS servers in an enterprise, definitely put this near the top of your test-and-deploy list.
- CVE-2019-1314 – Windows 10 Mobile Security Feature Bypass Vulnerability
This Security Feature Bypass (SFB) for Windows 10 Mobile takes advantage of a flaw in Cortana that allows an attacker to access files on a device from the lock screen. Obviously, the attacker would need physical access to the device. Although Microsoft details the bug, they aren’t fixing it. Instead, they recommend users of Windows 10 Mobile disable Cortana on the lock screen. If your organization uses devices with this OS, start rounding them up to make the change.
Here’s the full list of CVEs released by Microsoft for October 2019.
| CVE | Title | Severity | Public | Exploited | XI - Latest | XI - Older | Type |
| CVE-2019-1060 | VBScript Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2019-1238 | VBScript Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2019-1239 | VBScript Remote Code Execution Vulnerability | Critical | No | No | 2 | N/A | RCE |
| CVE-2019-1307 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | N/A | RCE |
| CVE-2019-1308 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | N/A | RCE |
| CVE-2019-1333 | Remote Desktop Client Remote Code Execution Vulnerability | Critical | No | No | 1 | 1 | RCE |
| CVE-2019-1335 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | N/A | RCE |
| CVE-2019-1366 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | N/A | 2 | RCE |
| CVE-2019-1372 | Azure App Service Elevation of Privilege Vulnerability | Critical | No | No | 2 | 2 | EoP |
| CVE-2019-0608 | Microsoft Browser Spoofing Vulnerability | Important | No | No | 2 | 2 | Spoof |
| CVE-2019-1070 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | N/A | 2 | XSS |
| CVE-2019-1166 | Windows NTLM Tampering Vulnerability | Important | No | No | 2 | 2 | Tampering |
| CVE-2019-1230 | Hyper-V Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2019-1311 | Windows Imaging API Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2019-1313 | SQL Server Management Studio Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2019-1314 | Windows 10 Mobile Security Feature Bypass Vulnerability | Important | No | No | 2 | 2 | SFB |
| CVE-2019-1315 | Windows Error Reporting Manager Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2019-1316 | Microsoft Windows Setup Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2019-1317 | Microsoft Windows Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
| CVE-2019-1318 | Microsoft Windows Transport Layer Security Spoofing Vulnerability | Important | No | No | 2 | 2 | Spoof |
| CVE-2019-1319 | Windows Error Reporting Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2019-1320 | Microsoft Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2019-1321 | Microsoft Windows CloudStore Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2019-1322 | Microsoft Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2019-1323 | Microsoft Windows Update Client Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2019-1326 | Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
| CVE-2019-1327 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2019-1328 | Microsoft SharePoint Spoofing Vulnerability | Important | No | No | N/A | 2 | Spoof |
| CVE-2019-1329 | Microsoft SharePoint Elevation of Privilege Vulnerability | Important | No | No | N/A | 2 | EoP |
| CVE-2019-1330 | Microsoft SharePoint Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2019-1331 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2019-1334 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2019-1336 | Microsoft Windows Update Client Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2019-1337 | Windows Update Client Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2019-1338 | Windows NTLM Security Feature Bypass Vulnerability | Important | No | No | N/A | 2 | SFB |
| CVE-2019-1339 | Windows Error Reporting Manager Elevation of Privilege Vulnerability | Important | No | No | N/A | N/A | EoP |
| CVE-2019-1340 | Microsoft Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2019-1341 | Windows Power Service Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
| CVE-2019-1342 | Windows Error Reporting Manager Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2019-1343 | Windows Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
| CVE-2019-1344 | Windows Code Integrity Module Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2019-1345 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2019-1346 | Windows Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
| CVE-2019-1347 | Windows Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
| CVE-2019-1356 | Microsoft Edge based on Edge HTML Information Disclosure Vulnerability | Important | No | No | 2 | N/A | Info |
| CVE-2019-1357 | Microsoft Browser Spoofing Vulnerability | Important | No | No | 2 | 2 | Spoof |
| CVE-2019-1358 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2019-1359 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2019-1361 | Microsoft Graphics Components Information Disclosure Vulnerability | Important | No | No | N/A | 2 | Info |
| CVE-2019-1362 | Win32k Elevation of Privilege Vulnerability | Important | No | No | N/A | 1 | EoP |
| CVE-2019-1363 | Windows GDI Information Disclosure Vulnerability | Important | No | No | N/A | 2 | Info |
| CVE-2019-1364 | Win32k Elevation of Privilege Vulnerability | Important | No | No | N/A | 1 | EoP |
| CVE-2019-1365 | Microsoft IIS Server Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2019-1369 | Open Enclave SDK Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2019-1371 | Internet Explorer Memory Corruption Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2019-1368 | Windows Secure Boot Security Feature Bypass Vulnerability | Important | No | No | 2 | 2 | SFB |
| CVE-2019-1375 | Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability | Important | No | No | 2 | 2 | XSS |
| CVE-2019-1376 | SQL Server Management Studio Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2019-1325 | Windows Redirected Drive Buffering System Elevation of Privilege Vulnerability | Moderate | No | No | 3 | 2 | EoP |
Of the other patches, there are a couple more entries to the Blue Bug Group of Remote Desktop vulns, but like last month, these bugs are client side and thus not wormable. The remaining Critical-rated bugs for October all address browse-and-own scenarios in VBScript and Chakra.
There are a few interesting entries in the Important-rated patches, including a tampering bug in NTLM. You don’t see a lot of patches for Tampering bugs, and I have a soft spot for anything packet related. CVE-2019-1166 corrects a vulnerability NTLM that could allow a monster-in-the-middle to bypass the NTLM Message Integrity Check (MIC) and thereby downgrade NTLM security features. If an attacker can tamper with an NTLM exchange, they could modify flags of the NTLM packet without invalidating the signature. While this may be an unlikely scenario, the concept of modifying NTLM packets without invalidating the signature is fascinating (well, at least to me).
This month’s release is mostly focused on EoP bugs. These include patches for the Windows Update Client, which would be disastrous if attackers compromised the automatic update client. However, these bugs are really your typical Local Privilege Escalations (LPE) and not a breakdown of the entire Windows Update service. The Error Reporting Service also has several LPEs fixed this month, which is somewhat ironic.
The “Open Source Software” receiving an update this month comes in the form of the Open Enclave SDK. Microsoft had previously promised to contribute to the open-source project as a part of their Confidential Computing Consortium, and this info disclosure bug appears to be the first patch-related contribution.
This month’s release is rounded out by additional info disclosure bugs, five DoS vulnerabilities, a few spoofing issues, and a patch to address a cross-site scripting (XSS) bug in SharePoint. The servicing stack advisory (ADV990001) was revised for multiple versions of Windows. No new advisories were released this month.
Looking Ahead
The next patch Tuesday falls on November 12, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!