In this month’s security updates, Microsoft fixes 78 vulnerabilities: By the company’s reckoning, 17 of the fixes address critical issues, 60 important ones, and one bug of moderate severity. Many of these fixes are related to Windows internal components that an attacker could leverage to gain remote code execution or perform local privilege elevation.
The Remote Desktop Protocol (RDP) is once again under the spotlight, but this time, it isn’t the server that is impacted, but the RDP client. Not one to be left out, Adobe is also issuing an update to repair one critical vulnerability in Flash, and they produced one advisory.
Here is the list of products or components patched in this month’s update rollup:
– RDP client
– Windows kernel (drivers, ALPC)
– Windows graphical components (DirectX, GDI, Win32k, DirectWrite)
– .NET framework
– Windows VBScript Engine
– Microsoft Edge, Internet Explorer, & ChakraCore
– Jet Database Engine
– Lync 2013
– Project Rome SDK
– Azure DevOps and Team Foundation Server
– Many other Windows components
There are reports that the two elevation of privilege vulnerabilities affecting Windows components are actively being exploited.
It’s worth reminding readers that the availability of patches does not mean that your computer has installed them, yet. To find and download this month’s Cumulative Update patch yourself, search for the term “2019-09” at the Microsoft Update Catalog website.
Let’s have a closer look at some of the interesting vulnerabilities:
Windows Common Log File System Driver Elevation of Privilege Vulnerability (CVE-2019-1214)
It is possible to produce an out of bound write in the kernel driver in charge of the common log file system. An attacker, after having control of the machine, could leverage this vulnerability to elevate its privilege. This vulnerability is being exploited in the wild.
Windows Elevation of Privilege Vulnerability (CVE-2019-1215)
There exists a use after free vulnerability in the Winsock 2 Instable File System Layer kernel driver. As with the previous vulnerability, an attacker could elevate its privilege locally. By default, the driver is disabled on Windows (this can be checked with this command in an elevated shell: “sc qc ws2ifsl”). This means that by default the vulnerability is not exposed. This vulnerability is being exploited in the wild.
Remote Desktop Client Remote Code Execution Vulnerabilities (CVE-2019-0787, -0788)
These two vulnerabilities could be used to gain remote code execution on RDP client. The scenario here would be that an attacker first needs to control a machine with RDP server running, usually a Windows Server or a virtual machine. A legitimate user or administrator would then need to execute through the RDP session on the compromised machine the malicious that would attack the RDP client. A successful attack, would allow the attacker to gain remote code execution on the machine of the tricked user and pivot to it.
Microsoft SharePoint Remote Code Execution Vulnerabilities (CVE-2019-1257, -1295, -1296)
SharePoint suffers from multiple unsafe deserialization on BDC models. A successful attack would allow an attacker to execute arbitrary code on the server.
Sophos detection guidance
Sophos has published the following antivirus and intrusion protection signatures to address some of the vulnerabilities referenced above.
N/V = Not Validated. The PoC code provided with MAPP advisories does not include active exploits and as such is not applicable to Intercept X testing. The IX ability to block the exploit depends on actual exploit weaponization approach which we won’t see until it’s spotted in the wild. The SAV and IPS detections developed for the PoCs do not guarantee interception of in-the-wild attacks
In addition, the following IPS signatures refer to some of the vulnerabilities referenced in the preceding text.
How long does it take to have Sophos detection in place?
We aim to add detection to critical issues based on the type and nature of the vulnerabilities as soon as possible. In many cases, existing detections will catch exploit attempts without the need for updates.
What if the vulnerability/0-day you’re looking for is not listed here?
If we haven’t released an update for a specific exploit, the most likely reason is that we did not receive the data that shows how the exploit works in the real world. As many of this month’s exploits were crafted in a lab and have not been seen in the wild, nobody has enough information (yet) about how criminals would, hypothetically, exploit any given vulnerability. If or when we receive information about real attacks, we will create new detections, as needed.