Automox Patch Tuesday Breakdown: October 2019

Welcome to October's Automox Patch Tuesday breakdown.

October is looking like a relatively quiet month in terms of patching – a gift we can all be thankful for after an entire summer of massive updates. This month's update from Microsoft includes fixes for 59 vulnerabilities, nine of which are ranked “critical.” For October, Apple has also released security updates for select versions of iCloud, iTunes and Catalina macOS.

There is also a major zero-day vulnerability for Android devices with an available patch. While Google normally just rolls out patches for its own devices, multiple Android carriers are releasing their own patches to address this potential threat. For system admins, patching is all about protecting their organization's network, but it's important to take the time to patch your phone, too – especially when there's a zero-day.

Earlier this season, Microsoft also released out-of-band updates for all versions of Windows. In a rare Thursday update at the end of September, Microsoft rolled out patches for critical Internet Explorer and Windows Defender bugs. Adobe also released an emergency patch to address a series of critical vulnerabilities for ColdFusion. See last month's breakdown for more on September's Patch Tuesday update.

Critical Updates from Microsoft

October's Patch Tuesday brings fixes for nine critical vulnerabilities from Microsoft. These include:

CVE-2019-1166 and CVE-2019-1338 are both NTLM vulnerabilities discovered by the security firm Preempt.

CVE-2019-1166 is a tampering vulnerability which occurs in Windows when a man-in-the-middle (MITM)  attacker circumvents NTLM MIC (Message Integrity Check) protections. Successful exploitation of this vulnerability could allow attackers to downgrade security features for NTLM. The update corrects this by hardening server-side NTLM MIC protections.

CVE-2019-1338 is a security-feature bypass vulnerability that occurs in Windows when a MITM attacker is “able to successfully bypass the NTLMv2 protection if a client is also sending LMv2 responses.”

Attackers can exploit this vulnerability by modifying NTLM traffic exchange, and if successful, could downgrade NTLM security features. To address this, the update strengthens server-side NTLMv2 protections.

As Preempt explains, these vulnerabilities pose a serious threat to organizations because attackers could compromise an entire domain through a series of relay attacks.

Three critical vulnerabilities are remote code execution (RCE) vulnerabilities.

  • CVE-2019-1238 and CVE-2019-1239 are both VBScript vulnerabilities that can be used by attackers to corrupt memory and execute arbitrary code under the context of the current user. If the logged-in user has administrative rights, a malicious actor can take control of the affected system. If an attacker successfully exploits these vulnerabilities, they can install programs; view, change or delete data; and create new accounts with full user rights.

The update fixes this issue by changing how VBScript handles objects in memory.

  • CVE-2019-1333 is an RCE that occurs in Windows Remote Desktop Client when a user connects to a malicious server. Once connected, an attacker can run arbitrary code and take control of the target system. To exploit this vulnerability, however, an attacker would have to trick a user into connecting to a malicious server that's under their control. This can be accomplished with DNS poisoning, MITM attacks, or social engineering techniques. A bad actor could also tamper with a legitimate server, host malicious code on it and lie in wait. While an attacker may not be able to “force” users to connect to their malicious server, there are plenty of ways to trick them.

The remaining four critical vulnerabilities (CVE-2019-1307, CVE-2019-1308, CVE-2019-1335, CVE-2019-1336) are memory corruption bugs that occur when Chakra Scripting Engine handles objects in memory in Microsoft Edge. Attackers can exploit these vulnerabilities to run remote code, potentially allowing them to install programs, tamper with data or create new, privileged accounts.

Other Updates For October

This month, Apple also released a series of security updates. These include updates for iCloud for Windows 7.14 and Windows 10.7, iTunes 12.10.1 for Windows and macOS Catalina 10.15.

The updates for each Apple product contain fixes for multiple security vulnerabilities. Apple recommends patching for these vulnerabilities as soon as possible and notes that some of these vulnerabilities can be used by attackers to exploit and gain control of a targeted system.

October has also seen the release of a major security update for Android. In addition to Google, Samsung, Motorola, LG, Oppo, Huawei, and Xiaomi are also releasing updates for their affected devices. Known as CVE-2019-2215, this is a zero-day vulnerability that is already being exploited in the wild. According to reports, the affected devices include:

  • Google Pixel, Pixel XL, Pixel 2, and 2 XL
  • Samsung Galaxy S7, S8, and S9
  • Huawei P20
  • LG models running Android Oreo
  • Motorola Moto Z3
  • Oppo A3
  • Xiaomi A1, Redmi 5A, and Redmi Note 5

However, Google's Project Zero is cautioning that other devices may be also be affected by this vulnerability. While patching your organization's systems is going to be the top priority on Patch Tuesday, don't forget to take care of your phone (and encourage others to do the same).

Out-Of-Band Updates From September

At the tail-end of September, we saw the release of critical security updates from Microsoft and Adobe.  These are incredibly rare – and typically, they also indicate urgency.

Microsoft issued a rare Thursday update at the end of last month in order to reckon with an Internet Explorer zero-day that was actively being exploited in the wild, as well as a critical bug in Windows Defender.

CVE-2019-1367 is an RCE that affects the way the scripting engine handles objects in memory in Internet Explorer. An attacker can exploit this vulnerability by creating a website designed to target this vulnerability through Internet Explorer and convincing users to visit their malicious site – for example, by sending a link through email. The security update fixes this issue by changing how the scripting engine handles objects in memory.

CVE-2019-1367 is actively being exploited in the wild and the Department of Homeland Security is encouraging users to patch for this vulnerability immediately.

CVE-2019-1255 is a denial of service vulnerability that occurs when Microsoft Defender mishandles files. Microsoft says “an attacker could exploit this vulnerability to prevent legitimate accounts from executing legitimate system binaries.” The update tackles this issue by ensuring Defender handles files properly.

At the end of September, Adobe also released  a series of out-of-band updates for its ColdFusion web development platform. Three critical vulnerabilities affect ColdFusion 2018 version 4 and earlier, as well as ColdFusion 2016 version 11 and earlier. These vulnerabilities include:

  • CVE-2019-8072 – Security bypass vulnerability leading to information disclosure
  • CVE-2019-8073 – Command Injection via Vulnerable component vulnerability, leading to RCE
  • CVE-2019-8074 – Path traversal vulnerability allowing access control bypass

All three vulnerabilities are addressed by Adobe's late September updates.

While October is looking like a quiet month so far, the rush for an out-of-band update for last month's zero day serves as a reminder that malicious actors don't care about your patching schedule. Timely patching is an essential part of cyber hygiene for organizations of any size, and with automated patch management solutions, you can make sure all your bases are covered.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.