Virtual Administrator’s September 2019 Patch Recommendations

This month Microsoft released patches for 79 vulnerabilities with 18 rated “Critical” and 61 as “Important”.

All September patches have been approved in our patch policy.

Lots of patches and drama this month but relatively few problems. CVE-2019-1214 and CVE-2019-1215 are elevation of privilege vulnerabilities in the Windows Common Log File System (CLFS) Driver in the Winsock IFS Driver (ws2ifsl.sys). Microsoft initially reported both as “Exploited”. However, without explanation, that was changed not exploited a couple days later.  Three previously disclosed vulnerabilities (CVE-2019-1235, CVE-2019-1253, and CVE-2019-1294) have been patched.

Most of the chatter this month was about KB4512941 for Windows 10 v1903 where SearchUI.exe was causing severe CPU spikes. This was fixed with KB4515384 but it also caused other issues with Windows Desktop Search. (See “Search Saga” below)

New Servicing Stack Updates (SSU) for everything (ADV990001). Also after taking a couple of month off, an Adobe Flash Player update (KB4516115) was released. Both (CVE-2019-8069 and CVE-2019-8070) are considered Critical and could allow arbitrary code execution.

 

Heads Up! [ADV990001] – New Servicing Stack Updates (SSU) for all OSes

 

Disclosed: CVE-2019-1235, CVE-2019-1253, CVE-2019-1294

Exploited: None

 

Security Update Guide

https://portal.msrc.microsoft.com/en-us/security-guidance

 

Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com

 

Affected software include:

  • Microsoft Windows
  • Internet Explorer
  • Microsoft Edge (EdgeHTML-based)
  • ChakraCore
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Adobe Flash Player
  • Microsoft Lync
  • Visual Studio
  • Microsoft Exchange Server
  • .NET Framework
  • Microsoft Yammer
  • .NET Core
  • ASP.NET
  • Team Foundation Server
  • Project Rome

 

Microsoft Security Advisories

 

ADV990001 | Latest Servicing Stack Updates (Published: 11/13/2018|Last Updated: 09/10/2019)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001

Reason for Revision: A Servicing Stack Update has been released for all supported versions of Windows.

 

ADV190009 | SHA-2 Code Sign Support Advisory (Published: 03/12/2019|Last Updated: 09/10/2019)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190009

Reason for Revision: TTo address a known issue on systems running Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1, and Windows Server 2008 Service Pack 2, Microsoft is re-releasing KB4474419. Microsoft recommends that customers running these versions of Windows reinstall update 4474419.

 

ADV190013 | Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities (Published: 05/14/2019|Last Updated: 09/10/2019)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190013

Reason for Revision: See above link for details. These updates are included in the September Security Only and Monthly Rollup updates.

 

ADV190022 | September 2019 Adobe Flash Security Update (Published: 09/10/2019|Last Updated: 09/11/2019)

This security update addresses the following vulnerability, which is described in Adobe Security Bulletin APSB19-46: CVE-2019-8069 and CVE-2019-8070.

 

ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing (Published: 08/13/2019|Last Updated: 09/10/2019)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

Reason for Revision: Revised Recommended Actions section to provide customers with more detailed information about actions to take to make LDAP channel binding and LDAP signing on Active Directory Domain Controllers more secure.

 

Known Issues

Microsoft is reporting only two new known issues this month that affects IE 11 and Windows 10 version 1903

 

Internet Explorer 11

KB4516046 Internet Explorer

KB4516065 Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup)

https://support.microsoft.com/en-us/help/4516046/cumulative-security-update-for-internet-explorer

Symptom: VBScript in Internet Explorer 11 should be disabled by default after installing KB4507437 (Preview of Monthly Rollup) or KB4511872 (Internet Explorer Cumulative Update) and later. However, in some circumstances, VBScript may not be disabled as intended.

Workaround: See above link

 

Windows 10 version 1903

Search Saga – Windows 10 version 1903 KB4512941 was released on August 30 and was causing “Windows Desktop Search may not return any results and SearchUI.exe may have high CPU usage”. The problem was fixed with September’s Cumulative Update (KB4515384) but there were reports that “Some users report issues related to the Start menu and Windows Desktop Search”. In response Micorsoft posted an article to “Fix problems in Windows Search”. Note the KB4515384 link shows “Microsoft is not currently aware of any issues with this update.”

 

Symptom: Some users report issues related to the Start menu and Windows Desktop Search

Recommendation: Fix problems in Windows Search

https://support.microsoft.com/en-us/help/4520146/fix-problems-in-windows-search

 

Windows 10 version 1903 Known issues and notifications 

https://docs.microsoft.com/en-us/windows/release-information/status-windows-10-1903#688msgdesc

 

Good resource for known issues with Windows 10 patches. Click on the version in the left column for the status of known issues.

Windows 10 release information

https://docs.microsoft.com/en-us/windows/release-information/

 

 

Monthly Rollup/Security Only/Windows 10/Server 2016,2019 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

 

Security and Quality Rollup

KB4516065 – Windows 7, Windows Server 2008 R2

KB4516067 – Windows 8.1, Windows Server 2012 R2

KB4516055 – Windows Server 2012

KB4516026 – Windows Server 2008

 

Security Only Update

KB4516033 – Windows 7, Windows Server 2008 R2

KB4516064 – Windows 8.1, Windows Server 2012 R2

KB4516062 – Windows Server 2012

KB4516051 – Windows Server 2008

 

Cumulative Update for Windows 10

KB4516070 – Original release version 1507 (OS Build 10240)

None – Version 1511 (OS Build 10586)

KB4516044 – Version 1607 “Anniversary Update” (OS Build 14393)

KB4516068 – Version 1703 “Creators Update” (OS Build 15063)

KB4516066 – Version 1709 “Fall Creators Update” (OS Build 16299)

KB4516058 – Version 1803 “Spring Creators Update” (OS Build 17134)

KB4512578 – Version 1809 “October 2018 Update” (OS Build 17763)

KB4515384 – Version 1903 “May 2019 Update” (OS Build 18362)

 

Note: Server 2016 uses the same KB as Windows 10 Version 1607. Server 2019 uses the same KB as Windows 10 Version 1809.

 

KB4516046 – Cumulative Security Update for Internet Explorer 9/10/11

This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.

 

KB4516115 – Security Update for Adobe Flash Player

 

September 2019 updates for Microsoft Office

https://support.microsoft.com/en-us/help/4517986/september-2019-updates-for-microsoft-office

 

Notable CVEs

 

CVE-2019-1214 | Windows Common Log File System Driver Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1214

An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context.

To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system.

The security update addresses the vulnerability by correcting how CLFS handles objects in memory.

 

CVE-2019-1215 | Windows Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1215

An elevation of privilege vulnerability exists in the way that ws2ifsl.sys (Winsock) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated privileges.

To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.

The security update addresses the vulnerability by ensuring that ws2ifsl.sys properly handles objects in memory.

 

CVE-2019-1235 | Windows Text Service Framework Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1235

An elevation of privilege vulnerability exists in Windows Text Service Framework (TSF) when the TSF server process does not validate the source of input or commands it receives. An attacker who successfully exploited this vulnerability could inject commands or read input sent through a malicious Input Method Editor (IME). This only affects systems that have installed an IME.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

The security update addresses this vulnerability by correcting how the TSF server and client validate input from each other.

 

CVE-2019-1253 | Windows Elevation of Privilege Vulnerability (Cumulative Update)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1253

An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions.

To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges.

The security update addresses the vulnerability by correcting how AppX Deployment Server handles junctions.

 

CVE-2019-1294 | Windows Secure Boot Security Feature Bypass Vulnerability (Cumulative Update)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1294

A security feature bypass exists when Windows Secure Boot improperly restricts access to debugging functionality. An attacker who successfully exploited this vulnerability could disclose protected kernel memory.

To exploit the vulnerability, an attacker must gain physical access to the target system prior to the next system reboot.

The security update addresses the vulnerability by preventing access to certain debugging options when Windows Secure Boot is enabled.