Microsoft patches 80 vulnerabilities in September 2019 Patch Tuesday

Seventeen 'critical' vulnerabilities patched, while 62 were rated as 'important'

Microsoft has released its September 2019 Patch Tuesday update, addressing a total of 80 security vulnerabilities. Of these, 17 are listed as 'critical' - requiring an urgent patch - while 62 are merely rated as 'important'.

According to Microsoft, these vulnerabilities affect a variety of software products, including Windows (of course), Microsoft's Edge web browser, Internet Explorer, ChakraCore, Skype for Business, Microsoft Lync, the .NET Framework, Visual Studio, Exchange Server, Team Foundation Server, Microsoft Yammer, and Microsoft Office Services and Web Apps.

Two vulnerabilities patched were originally categorised as zero-days - the flaws that were already exploited in the wild by attackers before Microsoft released fixes for them.

These two zero-days, indexed as CVE-2019-1214 and CVE-2019-1215, are elevation of privilege (EoP) vulnerabilities, which could enable an attacker to gain administrator status on infected hosts and then execute malicious code on the system.

CVE-2019-1214 impacts the Windows Common Log File System driver. It was discovered by a security researcher from Qihoo 360 Vulcan Team, according to Microsoft.

CVE-2019-1215 exists in the ws2ifsl.sys (Winsock IFS Driver) service.

The September Patch Tuesday update also addresses four critical vulnerabilities in Microsoft Remote Desktop Client. Indexed as CVE-2019-1290, CVE-2019-1291, CVE-2019-0787, and CVE-2019-0788, the bugs were discovered by Microsoft's internal team, and follow the disclosure of wormable BlueKeep bug (in May) and "DejaBlue" flaws (in August), which also affect Remote Desktop Client.

In order to exploit Remote Desktop Client bugs, a threat actor would first need to trick a user into connecting to a hacked or malicious RDP server. Microsoft didn't reveal whether these bugs could be used by attackers to create self-spreading wormable exploits.

Microsoft's September security update also patches a critical vulnerability in the way the Windows operating system handles link (.lnk) files. Attackers can use such files to launch malware on a vulnerable machine when a user accesses a shared folder or opens a removable drive containing a booby-trapped .lnk file.

Of the 17 critical vulnerabilities patched in the latest update, nine can be exploited in drive-by browser attacks, Microsoft warned.

One vulnerability, affecting the Team Foundation Server (TFS) and Azure DevOps (ADO), indexed as CVE-2019-1306, could enable threat actors to run code on the server in the context of the ADO or TFS service account.