Go to listing page

Microsoft’s September 2019 Patch Tuesday fixes 79 vulnerabilities

Microsoft’s September 2019 Patch Tuesday fixes 79 vulnerabilities
  • Microsoft has rolled out fixes for 79 vulnerabilities as a part of its September 2019 Patch Tuesday.
  • This includes fixes for two zero-day exploits and 17 critical vulnerabilities.

The September 2019 Patch Tuesday brings security patches from Microsoft for 79 vulnerabilities that span across 15 products.

Security patches available for two zero-day exploits

Two zero-day exploits, CVE-2019-1214 and CVE-2019-1215, were patched this month. Both of them are Elevation of Privilege (EoP) vulnerabilities.

  • An EoP vulnerability can be exploited to execute malicious code on an infected system by gaining administrator access.
  • CVE-2019-1214 is the Windows Common Log File System Driver Elevation of Privilege Vulnerability and CVE-2019-1215 is the Windows Elevation of Privilege Vulnerability.
  • Microsoft has not disclosed any details about how these zero-days were exploited.

“Both flaws exist due to improper handling of objects in memory by the respective drivers. Elevation-of-privilege vulnerabilities are utilized by attackers post-compromise, once they’ve managed to gain access to a system in order to execute code on their target systems with elevated privileges,” said Satnam Narang, a senior research engineer at Tenable.

Critical bugs in RDP fixed

Four critical flaws —CVE-2019-1291, CVE-2019-1290, CVE-2019-0788, CVE-2019-0787—in Microsoft’s Remote Desktop Protocol (RDP) feature have been fixed. These vulnerabilities, when exploited, allow remote code execution by malicious servers.

Advisories released

Microsoft has released two advisories in September’s Patch Tuesday.

  • ADV190022 - September 2019 Flash Security Updated. This provides security updates for vulnerabilities defined in Adobe Security Bulletin APSB19-46: CVE-2019-8069 and CVE-2019-8070
  • ADV990001 - Latest Servicing Stack Updates

What to look out for

Other organizations such as Adobe and SAP also publish security updates on the day of Microsoft’s Patch Tuesday.

Cyware Publisher