September Patch Tuesday arrived with fixes for two zero-day vulnerabilities and three public disclosures that make patching the OS on both clients and servers a priority for administrators.
Microsoft addressed 79 unique vulnerabilities -- 17 with a critical severity rating -- including two Windows zero-days that administrators should put near the top of their patching priority list. As part of its September Patch Tuesday releases, Microsoft also closed bugs in its Internet Explorer and Edge browsers, Microsoft Office, Skype for Business, Exchange Server and Yammer.
Microsoft squashes two Windows zero-days
A zero-day (CVE-2019-1214) in the Windows Common Log File System driver gives an attacker, who needs to have prior access to the network, a way to elevate privileges by running a specially crafted application. This vulnerability, rated important, affects all supported versions of Windows on the server and client side.
"This is what attackers will use to elevate their privilege level and be able to gain persistent access and start to pivot and move elsewhere the environment," said Chris Goettl, director of product management and security at Ivanti, a security and IT management vendor based in South Jordan, Utah.
Microsoft patched another zero-day (CVE-2019-1215). This flaw in the Winsock component, rated important, lets an intruder who has gained access with local authentication run code with elevated privileges. This vulnerability affects all supported Windows systems on desktops and clients.
It's important to weigh other factors in addition to the severity rating and the Common Vulnerability Scoring System (CVSS) score when determining the precedence of updates for systems, Goettl said. An administrator who gives critical updates top billing might miss these sorts of zero-days that have a less severe rating, he said.
"Typically, we recommend vendor severity, plus CVSS score, and use indicators like exploited or publicly disclosed as additional risk indicators that would raise the priority," Goettl said.
Editor’s note: After Microsoft released the September Patch Tuesday advisories, the company revised the details for CVE-2019-1214 and CVE-2019-1215. An email from a Microsoft spokesperson on Sept. 13 said "previous information about the CVEs being 'under attack' is incorrect" and that the advisories had been updated. No further details were available.
Fixes issued for three public disclosures
In August, Tavis Ormandy of Google Project Zero revealed an elevation-of-privilege vulnerability in the Windows Text Service Framework. The exploit, which requires prior authentication on the system, lets the intruder run a specially crafted program to overtake the system. Microsoft closed this vulnerability (CVE-2019-1235), rated important for all supported Windows versions, by adjusting how the Text Service Framework server and client certify input from each other.
Chris GoettlDirector of product management and security, Ivanti
"The risk of a public disclosure is that there is enough information about how to exploit this vulnerability in the wild. An attacker has an advanced start on research. They don't have to reverse-engineer and try to figure it all out for themselves," Goettl said.
CVE-2019-1253 -- an elevation-of-privilege vulnerability rated important for Windows 10 and Windows Server 2019 systems -- follows the same pattern as the other vulnerabilities: An attacker who has logged into a system can run code to elevate privileges. Microsoft's update corrects the flaw in the Windows AppX Deployment Server, which handles tasks related to apps in the Microsoft Store.
The last public disclosure is a bug in the Windows secure boot security feature (CVE-2019-1294), rated important, that affects Windows 10 and Windows Server 2019 systems. The exploit requires physical access to a device running the OS, such as a laptop. Systems that use BitLocker and full-disk encryption would not be susceptible to this kind of attack, Goettl said.
Several Microsoft development tools patched
"The .NET Framework update was only for 3.5 and later, nothing earlier. This is one of those areas where people need to focus on moving forward from those older development tool sets that have reached end-of-life to continue to get security coverage from Microsoft," Goettl said.
BlueKeep vulnerability continues to remain a concern
Microsoft continued to close holes in the Remote Desktop Client by addressing four critical vulnerabilities -- CVE-2019-0787, CVE-2019-0788, CVE-2019-1290 and CVE-2019-1291 -- that do not have the same "wormable" threat potential as BlueKeep and DejaBlue. The bugs fixed by the September Patch Tuesday updates would require some interaction from a user to trigger the exploit.
Even after multiple warnings from Microsoft, there has been no BlueKeep outbreak on Windows systems, despite recent exploit code releases. In one recent example, Metasploit -- an open source penetration testing framework sponsored by security company Rapid7 -- published a BlueKeep module on Sept. 6. The coders purposefully limited the module's abilities to curb potential misuse.
"By default, Metasploit's BlueKeep exploit only identifies the target operating system version and whether the target is likely to be vulnerable. The exploit does not currently support automatic targeting; it requires the user to manually specify target details before it will attempt further exploitation," Rapid7 wrote in a blog.
Despite the outcry on Twitter related to the Metasploit release, other security vendors have released similar code, and Goettl said he suspects a global catastrophe might not come to fruition for one specific reason.
"Our speculation is that the threat actors who are going to take advantage of BlueKeep are less likely to do so from a ransomware perspective," Goettl said. "If somebody did this from a cryptomining perspective and spread this out to hundreds of thousands of systems simultaneously -- even for a few months -- the revenue stream could be on the order of tens of millions of dollars, compared to the $200,000 WannaCry was able to extort over its five-month life."
All Windows systems get critical servicing stack update
In what may be a prelude to upcoming changes to Windows updates, Microsoft issued an advisory (ADV990001) related to the servicing stack in all supported client and server Windows OSes.
The corresponding Knowledge Base articles indicate administrators should apply servicing stack updates before the latest cumulative update to ensure security updates arrive and install properly. The fact that all Windows systems require this update points to a significant change coming from Microsoft, possibly over the next few months, Goettl said. He recommended administrators put this update near the top of their priority list; otherwise, they could be in for a surprise when Patch Tuesday comes and their systems cannot install security updates.
"You should definitely start testing and planning this out. Ideally, if they can have it installed before October, that's the best-case scenario, but definitely have it in place before November to avoid any last-minute scrambles," Goettl said.