MICROSOFT HAS PLASTERED OVER two zero-day vulnerabilities in its latest Patch Tuesday bug-fix bundle.
The September 2019 Patch Tuesday update addresses a total of 80 vulnerabilities; 17 are listed as 'critical' - requiring an urgent patch, while 62 are merely rated as 'important'.
According to Microsoft, these vulnerabilities affect a variety of software products, including Windows (of course), Microsoft's Edge web browser, Internet Explorer, ChakraCore, Skype for Business, Microsoft Lync, the .NET Framework, Visual Studio, Exchange Server, Team Foundation Server, Microsoft Yammer, and Microsoft Office Services and Web Apps.
Two vulnerabilities patched are zero-days - flaws that were already exploited in the wild by attackers. These flaws, indexed as CVE-2019-1214 and CVE-2019-1215, are elevation of privilege (EoP) vulnerabilities, which could allow an attacker to gain administrator status on infected hosts and then execute malicious code on the system.
CVE-2019-1214 impacts the Windows Common Log File System driver. It was discovered by a security researcher from Qihoo 360 Vulcan Team, according to Microsoft, while CVE-2019-1215 exists in the ws2ifsl.sys (Winsock IFS Driver) service.
The September Patch Tuesday update also addresses four critical vulnerabilities in Microsoft Remote Desktop Client. Indexed as CVE-2019-1290, CVE-2019-1291, CVE-2019-0787, and CVE-2019-0788, the bugs were discovered by Microsoft's internal team, and follow the disclosure of wormable BlueKeep bug and "DejaBlue" flaws, which also affect Remote Desktop Client.
In order to exploit Remote Desktop Client bugs, a threat actor would first need to trick a user into connecting to a hacked or malicious RDP server. Microsoft didn't reveal whether these bugs could be used by attackers to create self-spreading wormable exploits.
Microsoft's September security update also patches a critical vulnerability in the way the Windows operating system handles link (.lnk) files. Attackers can use such files to launch malware on a vulnerable machine when a user accesses a shared folder or opens a removable drive containing a booby-trapped .lnk file.
Of the 17 critical vulnerabilities patched in the latest update, nine can be exploited in drive-by browser attacks, Microsoft warned.
One vulnerability, affecting the Team Foundation Server (TFS) and Azure DevOps (ADO), indexed as CVE-2019-1306, could enable threat actors to run code on the server in the context of the ADO or TFS service account. µ
Put a Ring-Con on it
We know. We're as surprised as you are
It's available across all major UK networks