- Microsoft has rolled out fixes for 79 vulnerabilities as a part of its September 2019 Patch Tuesday.
- This includes fixes for two zero-day exploits and 17 critical vulnerabilities.
The September 2019 Patch Tuesday brings security patches from Microsoft for 79 vulnerabilities that span across 15 products.
Security patches available for two zero-day exploits
Two zero-day exploits, CVE-2019-1214 and CVE-2019-1215, were patched this month. Both of them are Elevation of Privilege (EoP) vulnerabilities.
- An EoP vulnerability can be exploited to execute malicious code on an infected system by gaining administrator access.
- CVE-2019-1214 is the Windows Common Log File System Driver Elevation of Privilege Vulnerability and CVE-2019-1215 is the Windows Elevation of Privilege Vulnerability.
- Microsoft has not disclosed any details about how these zero-days were exploited.
“Both flaws exist due to improper handling of objects in memory by the respective drivers. Elevation-of-privilege vulnerabilities are utilized by attackers post-compromise, once they’ve managed to gain access to a system in order to execute code on their target systems with elevated privileges,” said Satnam Narang, a senior research engineer at Tenable.
Critical bugs in RDP fixed
Four critical flaws —CVE-2019-1291, CVE-2019-1290, CVE-2019-0788, CVE-2019-0787—in Microsoft’s Remote Desktop Protocol (RDP) feature have been fixed. These vulnerabilities, when exploited, allow remote code execution by malicious servers.
Microsoft has released two advisories in September’s Patch Tuesday.
- ADV190022 - September 2019 Flash Security Updated. This provides security updates for vulnerabilities defined in Adobe Security Bulletin APSB19-46: CVE-2019-8069 and CVE-2019-8070
- ADV990001 - Latest Servicing Stack Updates
What to look out for
Other organizations such as Adobe and SAP also publish security updates on the day of Microsoft’s Patch Tuesday.