Back to school, back to work…and now back to Microsoft updates. I hope that you got some rest this summer, as we are seeing an ever-increasing number and variety of vulnerabilities and corresponding updates covering all Windows platforms (desktop and server), Microsoft Office and a widening array of patches to Microsoft development tools.
This September update cycle brings two zero-days and three publicly reported vulnerabilities in the Windows platform. These two zero-days (CVE-2019-2014 and CVE-2019-1215) have credibly reported exploits which could lead to arbitrary code execution on the target machine. Both browser and Windows updates require immediate attention and your development team will need to spend some time with the latest patches to .NET and .NET Core.
The only good news here is that with each later release of Windows, Microsoft does seem to be experiencing fewer major security issues. There is now a good case to keep up with a rapid update cycle and stay with Microsoft on the later versions, with older releases an increasing security (and change control) risk.
With each update that Microsoft releases, there are generally a few issues that have been raised in testing. For this September release, and specifically Windows 10 1803 (and earlier) builds, the following issues have been raised:
- 4516058: Windows 10, version 1803, Windows Server version 1803 – Microsoft states in their latest release notes that, “Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This issue appears to be happening to a large number of clients, and it appears that Microsoft is taking the issue seriously and investigating. Expect an out of bound update on this issue if there is a reported vulnerability paired to this issue.
- 4516065 : Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup) VBScript in Internet Explorer 11 should be disabled by default after installing KB4507437 (Preview of Monthly Rollup) or KB4511872 (Internet Explorer Cumulative Update) and later. However, in some circumstances, VBScript may not be disabled as intended. This is a follow-up from last month’s (July) Patch Tuesday Security update. I think the key issue here is to ensure that VBScript really is disabled for IE11. Now that Adobe Flash is gone, we can start working to remove VBScript from our systems
- Windows 10 1903 Release Information : Updates may fail to install, and you may receive Error 0x80073701. Installation of updates may fail, and you may receive the error message, “Updates Failed, there were problems installing some updates, but we’ll try again later” or “Error 0x80073701” on the Windows Update dialog or within Update history. Microsoft has reported that these issues are expected to be resolved in either the next release or possibly at the end of the month.
There were a number of late published revisions to this month’s September Patch Tuesday update cycle including:
- CVE-2018-15664: Docker Elevation of Privilege Vulnerability. Microsoft has released an updated version of the AKS code which can be now found here.
- CVE-2018-8269 : OData Library Vulnerability. Microsoft has updated this issue including NET Core 2.1 and 2.1 to the affected products list.
- CVE-2019-1183: Windows VBScript Engine Remote Code Execution Vulnerability. Microsoft has released information detailing that this vulnerability has been fully mitigated now with other related updates to the VBScript engine. In this rare example, no further action is required, and this change/update is no longer required. You may find that the provided link no longer works, depending on your region.
Microsoft has attempted to address five critical vulnerabilities and a further 44 security issues that have been rated as important by Microsoft. The “elephant in the room” is the two zero-day publicly exploited vulnerabilities:
- CVE-2019-1215: This is a remote execution vulnerability in the core Winsock networking component (ws2ifsl.sys) that could lead to an attacker running arbitrary code, once locally authenticated.
- CVE-2019-1214: This is another critical vulnerability Windows Common Log File System (CLFS) that threatens older system with an arbitrary code execution upon local authentication.
Regardless of what else is happening with Windows updates this month, these two issues are pretty serious and will require immediate attention. In addition to the two September zero-days, Microsoft has released a number of other updates including:
- 4515384: Windows 10, version 1903, Windows Server version 1903 – This bulletin refers to five vulnerabilities relating to Micro-architectural Data Sampling where the micro-processor attempts to guess what instructions may come next. Microsoft recommends disabling Hyper-Threading. Please see the Microsoft Knowledge Base Article 4073757 for guidance on protecting Windows platforms. To address the following vulnerabilities in, you may need a firmware upgrade:
- Windows Update Improvements: Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions.
- CVE-2019-1267: Microsoft Compatibility Appraiser Elevation of Privilege Vulnerability. This is an update to the Microsoft compatibility engine. This may start to raise further and more controversial issues for enterprise customers very soon. I wanted to have a little “dig” here at Microsoft as their application compatibility assessment tool was breaking applications. I chose not to.
As mentioned previously, this is a big update, with credible reports of publicly exploited vulnerabilities on the Windows platform. Add this update to your “Patch Now” release schedule.
Microsoft is working to address eight critical updates that could lead to a remote code execution scenario. A pattern is emerging with a recurring set of security issues raised against the following browser functionality clusters:
- Chakra Scripting Engine
- Microsoft Scripting Engine
All of these issues affect the most recent versions of Windows 10 (both 32-bit and 64-bit) and apply to both Edge and Internet Explorer (IE). The VBScript issues (CVE-2019-1208) and CVE-2019-1236) are particularly nasty as a visit to a website may lead to the inadvertent install of a malicious ActiveX control which then effectively cedes control to an attacker. We suggest that all enterprise customers:
Given these concerns, please add this browser update to your “Patch Now” schedule.
This month Microsoft addresses three critical and eight important vulnerabilities in the Microsoft Office productivity suite covering the following areas:
- Lync 2013 Information Disclosure Vulnerability
- Microsoft SharePoint Remote Code/Spoofing/XSS Vulnerability
- Microsoft Excel Remote Code Execution Vulnerability
- Jet Database Engine Remote Code Execution Vulnerability
- Microsoft Excel Information Disclosure Vulnerability
- Microsoft Office Security Feature Bypass Vulnerability
Lync 2013 may not be your top priority this month, but the JET and SharePoint issues are serious and will require a response. The Microsoft JET database issues are the cause of most concern, even though Microsoft has rated them important, as they are key dependencies across a broad platform. Microsoft JET has always been difficult to debug and now it seems to be causing security issues every month for the past year. It’s time to move away from JET… just like everyone has moved from Flash and ActiveX, right?
Add this update to your standard patch schedule, and make sure that all of your legacy database applications have been tested before a full roll-out.
This section gets a little bigger with each Patch Tuesday. Microsoft is addressing six critical updates and a further six updates rated as important covering the following development areas:
- Chakra Scripting Engine
- Rome SDK (in case you didn’t know, its Microsoft’s in-house Graph tool)
- Diagnostics Hub Standard Collector Service
- .NET Framework. Core and .NET Core
- Azure DevOps and Team Foundation Server
Critical updates to Chakra Core and Microsoft Team Foundation server will require immediate attention while the remaining patches should be included in the developer update release schedule. With upcoming major releases to .NET Core this November, we will continue to see large updates in this area. As always, we suggest some thorough testing and a staged release cadence for your development updates.
Adobe is back on form with a critical update included in this month’s regular patch cycle. Adobe’s update (APSB19-46) addresses two memory related issues which could lead to arbitrary code execution on the target platform. Both security issues (CVE-2019-8070 and CVE-2019-8069) have a combined base CVSS score of 8.2, and so we suggest that you add this critical update to your Patch Tuesday release schedule.