Microsoft’s September 2019 Patch Tuesday fixes 79 vulnerabilities

  • Microsoft has rolled out fixes for 79 vulnerabilities as a part of its September 2019 Patch Tuesday.
  • This includes fixes for two zero-day exploits and 17 critical vulnerabilities.

The September 2019 Patch Tuesday brings security patches from Microsoft for 79 vulnerabilities that span across 15 products.

Security patches available for two zero-day exploits

Two zero-day exploits, CVE-2019-1214 and CVE-2019-1215, were patched this month. Both of them are Elevation of Privilege (EoP) vulnerabilities.

  • An EoP vulnerability can be exploited to execute malicious code on an infected system by gaining administrator access.
  • CVE-2019-1214 is the Windows Common Log File System Driver Elevation of Privilege Vulnerability and CVE-2019-1215 is the Windows Elevation of Privilege Vulnerability.
  • Microsoft has not disclosed any details about how these zero-days were exploited.

“Both flaws exist due to improper handling of objects in memory by the respective drivers. Elevation-of-privilege vulnerabilities are utilized by attackers post-compromise, once they’ve managed to gain access to a system in order to execute code on their target systems with elevated privileges,” said Satnam Narang, a senior research engineer at Tenable.

Critical bugs in RDP fixed

Four critical flaws —CVE-2019-1291, CVE-2019-1290, CVE-2019-0788, CVE-2019-0787—in Microsoft’s Remote Desktop Protocol (RDP) feature have been fixed. These vulnerabilities, when exploited, allow remote code execution by malicious servers.

Advisories released

Microsoft has released two advisories in September’s Patch Tuesday.

  • ADV190022 - September 2019 Flash Security Updated. This provides security updates for vulnerabilities defined in Adobe Security Bulletin APSB19-46: CVE-2019-8069 and CVE-2019-8070
  • ADV990001 - Latest Servicing Stack Updates

What to look out for

Other organizations such as Adobe and SAP also publish security updates on the day of Microsoft’s Patch Tuesday.

Cyware Publisher

Publisher

Cyware