October’s Patch Tuesday is relatively modest, with Microsoft releasing a total of 59 patches. However, this shorter list still warrants attention. Nine of the 59 were still identified as Critical, while the remaining 50 were labeled Important. Most of the critical bulletins were for various Internet Explorer and Microsoft Edge vulnerabilities, with one covering a Remote Desktop Client vulnerability. The Important bulletins fixed several issues, including NTLM and Microsoft IIS server vulnerabilities.
Here’s a closer look at the notable vulnerabilities patched this month:
Remote Desktop Client
CVE-2019-1333 covered a remote code execution (RCE) vulnerability in Microsoft’s Remote Desktop Client. However, for an attacker to successfully exploit and gain remote access to a targeted system using this vulnerability they must have the user access their malicious RDP server, which may involve some use of social engineering.
CVE-2019-1060, CVE-2019-1238, and CVE-2019-1239 are vulnerabilities found in how the VBScript engine of Internet Explorer handles objects in memory. CVE-2019-1307, CVE-2019-1308, CVE-2019-1335, and CVE-2019-1366 are similar vulnerabilities in the Chakra scripting engine of Microsoft Edge.
For both cases, a hacker can use these vulnerabilities to corrupt memory in a way that would make it possible to run arbitrary code with the same rights as the user. These vulnerabilities allow an attacker to gain the same privileges as the logged on user.
CVE-2019-1166 is a tampering vulnerability in Microsoft’s NTLM authentication protocol. This vulnerability could allow a possible man-in-the-middle (MITM) attacker to bypass protection mechanisms employed by NTLM called Message Integrity Check (MIC) and downgrade its security features. This is done without the signature of the NTLM packet becoming invalid.
CVE-2019-1338 is a security feature bypass vulnerability where a MitM attack could bypass NTLMv2 protection if the client is also sending out LMv2 responses. A successful exploit of this vulnerability could allow an attacker to downgrade NTLM security features, but they would need to modify NTLM traffic exchange to do so.
Microsoft IIS Server
CVE-2019-1365 is an elevation of privilege vulnerability that could allow a potential attacker to perform cross-site scripting and run scripts in the same security context as the user. This vulnerability exists because of instances where the Microsoft IIS server inadequately sanitizes a specially crafted request.
Trend Micro solutions
Users with affected installations are advised to prioritize the updates in order to avoid possible system exploitation through unpatched vulnerabilities. The Trend Micro™ Deep Security™ and Vulnerability Protection solutions also protect systems and users from threats targeting the vulnerabilities included in this month’s Patch Tuesday, updating or creating rules to address applicable vulnerabilities found. The following rules have been released to cover the appropriate vulnerabilities:
- 1010008 – Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-1335)
- 1010009 – Microsoft Windows Elevation of Privilege Vulnerability (CVE-2019-1364)
- 1010015 – Microsoft XML Remote Code Execution Vulnerability (CVE-2019-1060)
- 1010016 – Microsoft Internet Explorer VBScript Engine Remote Code Execution Vulnerability (CVE-2019-1238)
- 1010017 – Microsoft Internet Explorer VBScript Engine Remote Code Execution Vulnerability (CVE-2019-1239)
- 1010018 – Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-1307)
- 1010019 – Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-1308)
- 1010020 – Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-1366)
- 1010021 – Microsoft Graphics Components Information Disclosure Vulnerability (CVE-2019-1361)
- 36259: HTTP: Microsoft Windows Win32k tiff Processing Elevation of Privilege Vulnerability
- 36319: HTTP: Microsoft Edge JIT Type Confusion Vulnerability
- 36320: HTTP: Microsoft Edge JIT Type Confusion Vulnerability
- 36321: HTTP: Microsoft Internet Explorer JScript Engine Type Confusion Vulnerability
- 36322: HTTP: Microsoft Internet Explorer MSXML Use-After-Free Vulnerability
- 36323: HTTP: Microsoft Internet Explorer VBScript Libraries Type Confusion Vulnerability
- 36324: HTTP: Microsoft Edge Chakra JIT Type Confusion Vulnerability
We are working hard to continue to provide protection where possible. You can track of the latest released rules through the following advisory.