Microsoft released updates to patch 93 CVEs, along with two advisories, in this month’s Patch Tuesday. The bulletin patches issues in Azure DevOps Server, Internet Explorer, Microsoft Office, Microsoft Windows, Visual Studio, to name a few. The patches address 29 vulnerabilities rated Critical and 64 that were rated Important. A total of 21 CVEs were disclosed through the Zero Day Initiative (ZDI) program.
While none of the vulnerabilities were listed as under active attack at the time of release, a few of the bugs addressed this month fall under the “wormable” category, namely remote code execution (RCE) vulnerabilities in the Remote Desktop Services (designated as CVE-2019-1181 and CVE-2019-1182) that received Microsoft’s highest exploitability ranking. An attacker can exploit these flaws to gain code execution at a system level by sending a specially crafted pre-authentication RDP packet to an affected RDS server. Like the previously patched BlueKeep vulnerability, attackers can exploit the aforementioned RDS flaws to execute arbitrary code on vulnerable computers without user interaction.
This month's Patch Tuesday also disables the scripting language VBScript by default on Internet Explorer on Windows 7, 8, and 8.1. This change can help prevent attacks associated with exploits that rely on VBScript to target Internet Explorer.
In early 2017, Microsoft began to disable VBScript in IE11 to prepare systems and applications for disabling it by default. The company also previously disabled VBScript for Internet Explorer 11 and WebOCs for internet and untrusted zones on all platforms running Internet Explorer 11 on Windows 10 last July.
Microsoft also patched vulnerabilities in the Chakra Scripting Engine and Microsoft Word in this month's update. CVE-2019-1139, CVE-2019-1140, CVE-2019-1141, CVE-2019-1195, CVE-2019-1196, and CVE-2019-1197 are Critical-rated RCE vulnerabilities that occur in the Chakra scripting engine and how it handles objects in memory in Microsoft Edge. An attacker who successfully takes advantage of any of the vulnerabilities can gain the same user rights as the current user and execute arbitrary code on the affected system. Exploiting the vulnerabilities also allow an attacker to install programs, modify data, and create new accounts with full user rights on the affected system. In case of a web-based attack, an attacker can host a specially crafted site designed to exploit the vulnerability via Microsoft Edge, tricking a user into viewing the site. Compromised sites and sites that accept or host user-provided content or advertisement can also be exploited for attacks.
CVE-2019-1201 is an RCE vulnerability in Microsoft Word, existing in the way the software improperly handles objects in memory. An attacker who successfully takes advantage of the vulnerability can perform actions in the context of the current user, i.e., taking actions with the same permissions as the current user. To exploit the vulnerability, the attacker must trick the user into opening a specially crafted file with an affected version of Microsoft Word. In an email-based attack, an attacker can take advantage of the vulnerability by sending a specially crafted file to an unwitting user. In a web-based attack scenario, on the other hand, an attack can host a site or take advantage of a compromised site that contains the specially crafted file. An attacker can trick a user into visiting the site by convincing them to click a link and open the specially crafted file. It should be noted that Microsoft Outlook Preview Pane is an attack vector for this vulnerability.
Adobe, meanwhile, released eight patches for August that cover a total of 119 CVEs, primarily in Adobe Acrobat and Reader. The majority of the bugs are either caused by out-of-bound (OOB) read or a use-after-free (UAF) condition. A total of 20 of these were handled by the ZDI program. Photoshop also has a large update, with 34 CVEs addressed this month; 17 of these were reported through ZDI.
Users with affected installations are advised to immediately apply the updates to address the exploitable vulnerabilities. The Trend Micro™ Deep Security™ and Vulnerability Protection solutions also protect systems and users from threats targeting the vulnerabilities included in this month’s Patch Tuesday release via the following Deep Packet Inspection (DPI) rules:
|1009903||Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability||CVE-2019-1196|
|1009904||Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability||CVE-2019-1139|
|1009905||Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability||CVE-2019-1140|
|1009906||Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability||CVE-2019-1141|
|1009907||Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability||CVE-2019-1195|
|1009908||Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability||CVE-2019-1197|
|1009909||Microsoft Word Remote Code Execution Vulnerability||CVE-2019-1201|
- 35830: HTTP: Microsoft Edge JIT Type Confusion Vulnerability
- 35831: HTTP: Microsoft Edge Array Object Type Confusion Vulnerability
- 35832: HTTP: Microsoft Edge JIT Type Confusion Vulnerability
- 35840: HTTP: Microsoft Edge Type Confusion Vulnerability
- 35841: HTTP: Microsoft Edge Type Confusion Vulnerability
- 35842: HTTP: Microsoft Edge Type Confusion Vulnerability