Two elevation-of-privilege vulnerabilities that have been exploited in the wild as zero-days are at the heart of September’s Patch Tuesday update from Microsoft.
The two EoP vulnerabilities under active attack consist of CVE-2019-1214, which exists in the Windows Common Log File System (CLFS) Driver; and CVE-2019-1215, which impacts the Winsock IFS Driver (ws2ifsl.sys).
“Both flaws exist due to improper handling of objects in memory by the respective drivers,” said Satnam Narang, senior research engineer at Tenable, via email. “Elevation-of-privilege vulnerabilities are utilized by attackers post-compromise, once they’ve managed to gain access to a system in order to execute code on their target systems with elevated privileges.”
According to Dustin Childs at Trend Micro’s Zero-Day Initiative, CVE-2019-1215 should be at the top of administrators’ patch list.
“An attacker who exploits this vulnerability could go from user level to administrator level access,” he said in a Patch Tuesday analysis. “Microsoft reports this is being actively used against both newer and older supported OSes, but they don’t indicate where. Interestingly, this file has been targeted by malware in the past, with some references going back as far as 2007. Not surprising, since malware often targets low-level Windows services.”
The other EoP bug has only been seen targeting older operating systems, according to Microsoft. “This is a fine time to remind you that Windows 7 is less than six months from end of support, which means you won’t be getting updates for bugs like this one next February,” Childs said. “Patch your systems, then work on your upgrade strategy.”
In all, Microsoft patched 79 CVEs in September. They affect Microsoft Windows, Internet Explorer, Microsoft Edge, ChakraCore, Office and Microsoft Office Services and Web Apps, Skype for Business and Microsoft Lync, Visual Studio, .NET Framework, Exchange Server, Microsoft Yammer and Team Foundation Server. A full 17 are listed as critical in severity, 62 are listed as important, and one is listed as moderate in severity.
Four critical vulnerabilities are found in the Microsoft Remote Desktop Client (CVE-2019-1290, CVE-2019-1291, CVE-2019-0787, CVE-2019-0788). These, identified by Microsoft’s internal research team, follow the announcement of the wormable BlueKeep bug in May (CVE-2019-0708) and the “DejaBlue” group of flaws in August, which also affect Remote Desktop Client.
“Unlike BlueKeep and DejaBlue, where attackers target vulnerable Remote Desktop servers, these vulnerabilities require an attacker to convince a user to connect to a malicious Remote Desktop server,” explained Narang. “Attackers could also compromise vulnerable servers and host malicious code on them and wait for users to connect to them.”
One of the other critical bugs (CVE-2019-1208) would allow remote code execution thanks to the way that the VBScript engine handles objects in memory. Microsoft said that an attacker who successfully exploited the vulnerability could gain the same user rights as the current user – so if the current user is logged on with administrative user rights, an attacker could take control of an affected system and go on to install programs; view, change or delete data; or create new accounts with full user rights.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website,” according to the advisory. “An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”
Nine of the critical patches fix bugs that can be exploited in drive-by browser attacks; and one fixes a bug in the Azure DevOps (ADO) and Team Foundation Server (TFS) (CVE-2019-1306) that could allow an attacker to execute code on the server in the context of the TFS or ADO service account.
“An attacker would need permissions to upload a file on a target repo, but if they do, they can achieve code execution once the affected server indexes their file,” Childs said.
Similarly, a critical deserialization bug in Microsoft SharePoint (CVE-2019-1257) exists in the Business Data Connectivity Service. “For this particular case, an attacker could execute their code under the context of the SharePoint application pool identity by uploading a specially crafted SharePoint application package to an affected server,” Childs noted. “Normally, you would need to authenticate to upload such a package – unless you have enabled anonymous access.”
Also, one of the critical patches addresses a vulnerability in Microsoft Windows (CVE-2019-1280) that could allow remote code execution if a .LNK file is processed.
“The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary,” according to Microsoft’s advisory. “When the user opens this drive (or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker’s choice on the target system.”
The computing giant also issued a a service stack update for all operating systems, which it could start enforcing as soon as October.
“Usually these release for one or a couple of Windows editions, so for all Windows OSs to be impacted by this one is a bit out of the ordinary,” said Chris Goettl, director of product management, Security, Ivanti, via email. “They are rated as critical but are not resolving security vulnerabilities. They are also not part of the cumulative update chain. They are a separate update that needs to be installed outside of the normal cumulative or security only bundle. This is a critical update to Microsoft’s update system within the OS; this means some changes are coming down the line and there will be a point where you cannot update the Windows updates on the system if the Servicing Stack update is not applied.”
Interested in more on the internet of things (IoT)? Don’t miss our on-demand Threatpost webinar, IoT: Implementing Security in a 5G World. Join experts from Nokia, iboss and Sectigo as they offer enterprises and other organizations insights about how to approach security for the next wave of IoT deployments. Click here to listen to the recorded webinar.