By Jon Munshaw.
Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday discloses 60 vulnerabilities, nine of which are considered "critical," with the rest being deemed "important."
This month’s security update covers security issues in a variety of Microsoft services and software, the Chakra Scripting Engine, the Windows operating system and the SharePoint software.
Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post here.
Critical vulnerabilities Microsoft disclosed nine critical vulnerabilities this month, eight of which we will highlight below.
CVE-2019-1333 is a client-side remote execution vulnerability in Remote Desktop Services (RDP) that occurs when a user visits a malicious server. An attacker could exploit this vulnerability by having control of a malicious server, and then convincing the user to connect to it — likely via social engineering or a man-in-the-middle attack. An attacker could also compromise a legitimate server and then host malicious code on it, waiting for a user to connect. If successful, the attacker could gain the ability to remotely execute code on the victim machine that connected to the server.
CVE-2019-1238 and CVE-2019-1239 are remote code execution vulnerabilities that exist in the way VBScript handles objects in memory. These bugs all could lead to memory corruption in a way that would allow an attacker to execute arbitrary code on the victim machine. An attacker could exploit these vulnerabilities by tricking a user into visiting a specially crafted, malicious website through Internet Explorer. They could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that utilizes the Internet Explorer rendering engine.
CVE-2019-1307, CVE-2019-1308, CVE-2019-1335 and CVE-2019-1366 are all memory corruption vulnerabilities in the Chakra Scripting Engine inside of the Microsoft Edge web browser. An attacker could use these bugs to corrupt memory on the victim machine in a way that would allow them to remotely execute arbitrary code. A user could trigger these vulnerabilities by visiting a specially crafted, malicious website in Edge.
CVE-2019-1372 is an elevation of privilege vulnerability on Azure Stack when the Azure App Service fails to properly check the length of a buffer prior to copying memory to it. An attacker could exploit this vulnerability to copy any function run by the user, thereby executing code in the context of NT AUTHORITY/system, which could allow the attacker to escape a sandbox.
There is also CVE-2019-1060, a remote code execution vulnerability in Microsoft XML Core Services.
Important vulnerabilities This release also contains 51 important vulnerabilities.
Coverage In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.
These rules are: 51733 - 51736, 51739 - 51742, 51781 - 51794