September Patch Tuesday: Still Waters Run Deep

September Patch Tuesday: Still Waters Run Deep

September Patch Tuesday: Still Waters Run Deep

This month, we have another relatively light set of updates but that doesn’t mean the threat of attack has reduced. In fact, the number of ransomware attacks in September has continued to rise, particularly in the public sector. With this in mind, now may be a good time to review your patches…

This month, Microsoft resolved 79 unique CVEs, plugging various gaps in Windows software, including two zero-days and three publicly disclosed vulnerabilities. Both zero-days relate to elevation-of-privilege vulnerabilities.

CVE-2019-1215

The first, CVE-2019-1215, exists in the Winsock component and affects how the Winsock handles objects in memory. A locally authenticated attacker may try to run code to exploit this vulnerability.

CVE-2019-1214

The second, CVE-2019-1214, exists in the Windows Log Common File System driver. This vulnerability exists when Windows improperly handles objects in memory. Again, an attacker would have to log on to the system and run a specifically crafted application to take control.

This month, Microsoft also released service stack updates for all supported OS’s. These are usually only released for a few editions at a time, so an update for all is somewhat unusual. A couple of good points to note about these updates:

  • While they are rated as Critical they are not resolving security vulnerabilities.
  • They do not form part of the cumulative update chain.
  • Servicing stack updates are installed outside of the normal security bundle.
  • Service stack updates prepare the OS to support future updates.

This Patch Tuesday also marks the fourth time that Microsoft has fixed critical bugs in its Remote Desktop Protocol in 2019 (previous instances including the notorious Bluekeep and last month’s “Seven Monkeys”) with four critical flaws being patched in the service.

Adobe

Never one to be left out, Adobe fixed two CVEs in the Flash Player browser plugin, which is bundled with Internet Explorer, Microsoft Edge and Google’s Chrome. It’s also worth noting that Adobe will stop supporting Flash by 2021.

As always, Options is actively patching any and all vulnerabilities highlighted above – it is imperative that operating systems and 3rd party software products are kept up to date. Security doesn’t end with vulnerability patching; well-trained employees and a strong supporting security team are also essential. In 2019 we’ve substantially expanded our team and extended our global operational presence, rolling out rigorous training programs across the board alongside numerous platform security enhancements and the deployment of new cybersecurity initiatives to safeguard our clients’ data. For the latest on our Security, Intelligence and Analytics product offering, download our product sheet here.

– Vulnerability Management Team

Leave a Reply

Your email address will not be published. Required fields are marked *