The August 2019 Security Update Review
August 13, 2019 | Dustin ChildsAugust is here and it brings with it the scheduled security patches from Microsoft and Adobe. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.
Adobe Patches for August 2019
Adobe released eight patches for August covering a total of 119 CVEs, with the largest being for Adobe Acrobat and Reader. The update addresses 76 Important- and Moderate-rated CVEs. A total of 20 of these came through the ZDI program. The majority of these bugs are caused by either an Out-of-Bound (OOB) Read or a Use-After-Free (UAF) condition. There’s also a command injection bug (CVE-2019-8060), however it does not impact the Windows version of Reader.
The patch for Photoshop is also quite large, with 34 CVEs being addressed this month. A total of 17 of these bugs were reported through the ZDI program. The majority of these bugs are rated Critical in severity with heap overflows and OOB Writes leading the way. Adobe Experience Manager receives a patch for a Critical-rated authentication bypass. The Creative Cloud Desktop app has two Important- and two Critical-rated CVEs fixed. The release is rounded out with a quartet of patches for Adobe Prelude, Character Animator, After Effects, and Premier Pro that each get one DLL-hijacking bug fixed.
None of these bugs are listed as being publicly known or under active attack at the time of release.
Microsoft Patches for August 2019
This month, Microsoft released security patches for a whopping 93 CVEs plus two advisories. The updates cover Microsoft Windows, Internet Explorer, Edge, ChakraCore, Microsoft Office and Microsoft Office Services and Web Apps, Azure DevOps Server, Visual Studio, Online Services, and Microsoft Dynamics. Of these 93 CVEs, 29 are rated Critical and 64 are rated Important in severity. A total of 15 of these CVEs came through the ZDI program. None of the bugs addressed this month are listed as publicly known or under active attack at the time of release, however multiple bugs this month fall into the wormable category.
Let’s take a closer look at some of the more interesting patches for this month, starting with the bugs with the potential to end up as worms:
- CVE-2019-1181 – Remote Desktop Services Remote Code Execution Vulnerability
CVE-2019-1182 – Remote Desktop Services Remote Code Execution Vulnerability
CVE-2019-1222 – Remote Desktop Services Remote Code Execution Vulnerability
CVE-2019-1226 – Remote Desktop Services Remote Code Execution Vulnerability
These four bugs share the same impact and exploit scenarios. An attacker can get code execution at system level by sending a specially crafted pre-authentication RDP packet to an affected RDS server. If that sounds familiar to you, then you are probably thinking about the recently patched “BlueKeep” vulnerability. Clearly, the folks in Redmond thought similar bugs existed in RDP, and these four patches demonstrate that fact. These bugs also receive Microsoft’s highest exploitability ranking, meaning we could likely see multiple RDP exploits circulating in the near future. If you must have an internet-facing RDP server, patch immediately (and reconsider your server placement).
- CVE-2019-0736 – Windows DHCP Client Remote Code Execution Vulnerability
This patch corrects a bug in the DHCP client that could allow code execution if an attacker sends a specially crafted packet to an affected client. There’s no user interaction or authentication involved, so this CVE is also theoretically wormable. Every supported Microsoft OS is impacted by this bug, so an exploit would have a broad selection of targets.
- CVE-2019-1188 – LNK Remote Code Execution Vulnerability
I can’t see an LNK vulnerability without thinking about Stuxnet and how the 2010 patch could be circumvented. This bug is similar. An attacker could use this vulnerability to get code execution by having an affected system process a specially crafted .LNK file. This could be done by convincing a user to open a remote share, or – as has been seen in the past – placing the .LNK file on a USB drive and having the user open it. It’s a handy way to exploit an air-gapped system.
- CVE-2019-1201 – Microsoft Word Remote Code Execution Vulnerability
Most Word patches are rated Important in severity, but this one is listed as Critical. Typically, user interaction is required, meaning someone needs to actually open a crafted Word document. For this bug, that’s not the case. The Outlook Preview Pane is an attack vector, so it’s possible to get code execution using this bug without user interaction. Considering the ubiquity of Word and Outlook, this should definitely be near the top of your test and deployment list.
- CVE-2019-9506 - Encryption Key Negotiation of Bluetooth Vulnerability
There is a key negotiation vulnerability in Bluetooth Classic that could allow an attacker to negotiate the offered key length down to 1 byte of entropy, from a maximum of 16 bytes. The attacker would need to be within Bluetooth range to do this. This is an interesting case, as you can’t just apply a patch. Instead, you need to apply the update then enable the registry key that then enforces a default 7-octet minimum key length. If you rely on older Bluetooth devices, make sure you complete all the steps listed in the KB article. CERT/CC has this listed as VU#918987.
Here’s the full list of CVEs released by Microsoft for August 2019.
CVE | Title | Severity | Public | Exploited | XI - Latest | XI - Older | Type |
CVE-2019-1131 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
CVE-2019-1139 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
CVE-2019-1140 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
CVE-2019-1141 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
CVE-2019-1195 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
CVE-2019-1196 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
CVE-2019-1197 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
CVE-2019-0720 | Hyper-V Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2019-1188 | LNK Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2019-1144 | Microsoft Graphics Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2019-1145 | Microsoft Graphics Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2019-1149 | Microsoft Graphics Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2019-1150 | Microsoft Graphics Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2019-1151 | Microsoft Graphics Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2019-1152 | Microsoft Graphics Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2019-1199 | Microsoft Outlook Memory Corruption Vulnerability | Critical | No | No | 1 | 1 | RCE |
CVE-2019-1200 | Microsoft Outlook Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2019-1201 | Microsoft Word Remote Code Execution Vulnerability | Critical | No | No | 1 | 1 | RCE |
CVE-2019-1205 | Microsoft Word Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2019-1181 | Remote Desktop Services Remote Code Execution Vulnerability | Critical | No | No | 1 | 1 | RCE |
CVE-2019-1182 | Remote Desktop Services Remote Code Execution Vulnerability | Critical | No | No | 1 | 1 | RCE |
CVE-2019-1222 | Remote Desktop Services Remote Code Execution Vulnerability | Critical | No | No | 1 | N/A | RCE |
CVE-2019-1226 | Remote Desktop Services Remote Code Execution Vulnerability | Critical | No | No | 1 | N/A | RCE |
CVE-2019-1133 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2019-1194 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2019-0736 | Windows DHCP Client Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2019-1213 | Windows DHCP Server Remote Code Execution Vulnerability | Critical | No | No | N/A | 2 | RCE |
CVE-2019-0965 | Windows Hyper-V Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2019-1183 | Windows VBScript Engine Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2019-9511 | HTTP/2 Server Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2019-9512 | HTTP/2 Server Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2019-9513 | HTTP/2 Server Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2019-9514 | HTTP/2 Server Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2019-9518 | HTTP/2 Server Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2019-0716 | Windows Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2019-1206 | Windows DHCP Server Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2019-1212 | Windows DHCP Server Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2019-0714 | Windows Hyper-V Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2019-0715 | Windows Hyper-V Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2019-0717 | Windows Hyper-V Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2019-0718 | Windows Hyper-V Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2019-0723 | Windows Hyper-V Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2019-1223 | Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability | Important | No | No | 1 | N/A | DoS |
CVE-2019-1187 | XmlLite Runtime Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2019-1176 | DirectX Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2019-1229 | Dynamics On-Premise Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2019-1211 | Git for Visual Studio Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2019-1161 | Microsoft Defender Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2019-1204 | Microsoft Outlook Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2019-1198 | Microsoft Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2019-1168 | Microsoft Windows p2pimsvc Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2019-1169 | Win32k Elevation of Privilege Vulnerability | Important | No | No | N/A | 1 | EoP |
CVE-2019-1162 | Windows ALPC Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2019-1173 | Windows Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2019-1174 | Windows Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2019-1175 | Windows Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2019-1177 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2019-1178 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2019-1179 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2019-1180 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2019-1184 | Windows Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2019-1186 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2019-1190 | Windows Image Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2019-1159 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2019-1164 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2019-1170 | Windows NTFS Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2019-1185 | Windows Subsystem for Linux Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2019-1030 | Microsoft Edge Information Disclosure Vulnerability | Important | No | No | 2 | N/A | Info |
CVE-2019-1078 | Microsoft Graphics Component Information Disclosure Vulnerability | Important | No | No | 1 | 1 | Info |
CVE-2019-1148 | Microsoft Graphics Component Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2019-1153 | Microsoft Graphics Component Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2019-1202 | Microsoft SharePoint Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2019-1224 | Remote Desktop Protocol Server Information Disclosure Vulnerability | Important | No | No | 1 | N/A | Info |
CVE-2019-1225 | Remote Desktop Protocol Server Information Disclosure Vulnerability | Important | No | No | 1 | N/A | Info |
CVE-2019-1171 | SymCrypt Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2019-1143 | Windows Graphics Component Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2019-1154 | Windows Graphics Component Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2019-1158 | Windows Graphics Component Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2019-1172 | Windows Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2019-1227 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2019-1228 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | N/A | 2 | Info |
CVE-2019-1146 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2019-1147 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2019-1155 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2019-1156 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2019-1157 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2019-1193 | Microsoft Browser Memory Corruption Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2019-1057 | MS XML Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2019-1192 | Microsoft Browsers Security Feature Bypass Vulnerability | Important | No | No | 1 | 1 | SFB |
CVE-2019-1163 | Windows File Signature Security Feature Bypass Vulnerability | Important | No | No | 2 | 2 | SFB |
CVE-2019-1218 | Outlook iOS Spoofing Vulnerability | Important | No | No | N/A | N/A | Spoof |
CVE-2019-9506 | Encryption Key Negotiation of Bluetooth Vulnerability | Important | No | No | 2 | 2 | Tampering |
CVE-2019-1203 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
In addition to these, there’s also a DHCP server RCE that could be wormable, but only between DHCP servers. There are also several additional RDP bugs getting fixes, but these vulnerabilities are info disclosure and denial of service (DoS) rather than code execution.
Looking at the other Critical-rated patches, the two Hyper-V bugs definitely stand out. Both could allow an attack on a guest OS to execute code on the underlying host OS. Fonts make their return to getting patches, this time through the Microsoft Graphics Component. Viewing a specially crafted embedded font on an affected system would get code execution at the level of the logged on user. There are additional patches similar to the Word bug previously discussed. Since Preview Pane is an attack vector for these bugs, there’s a good chance malware authors will seek to include these in future attacks. Ten different browser related patches round out the Critical updates for August. In each case, code execution could be achieved by browsing to a malicious website.
Moving to the Important-rated cases, there are 15 different DoS bugs getting fixes this month. The ones affecting Hyper-V cause the most concern as they would allow a guest OS user to shut down the host OS. Two patches fix bugs in the DHCP server that could shut down the server through specially crafted packets. Similarly, multiple patches fix DoS vulnerabilities in the HTTP/2 protocol stack. If you have the HTTP/2 protocol stack enabled but don’t require it, this can be disabled via the registry to prevent attacks as well. There’s also a patch for the XmlLite runtime to prevent a DoS against XML applications.
Information disclosure issues also get 15 patches this month, with most of those affecting the Graphics component, RDP, and the kernel. The SymCrypt crypto library gets a patch for an info disclosure bug that occurs during the Optimal Asymmetric Encryption Padding (OAEP) decryption stage. An attacker would need to log on to an affected system to exploit this, but if they could, they would be able to read the contents of OAEP decrypt from a user-mode process.
Other notable patches this month include an update for Windows Defender. Most people will not need to take any action as the engine updates itself. Git for Visual Studio receives its first patch for a privilege escalation vulnerability, although the exploit scenario is rather complex. An authenticated attacker would need to modify Git configuration files on a system prior to a full installation of the application. The attacker would then need to convince another user on the system to execute specific Git commands. There’s also a privilege escalation in the Windows Subsystem for Linux. This has a more straightforward attack scenario with a local user running a specially crafted application.
Rounding out this month’s release, there are a few updates for the JET Database, Office, SharePoint, and other various Windows components.
There are two news advisories for August. The first provides guidance for Enabling LDAP Channel Binding and LDAP Signing. These can increase the level of communication security between an Active Directory Domain Controller and its clients. The other advisory details a privilege escalation in Microsoft Live Accounts. However, this has already been mitigated and no further action is required.
Looking Ahead
The next patch Tuesday falls on September 10, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!