Credit to Author: SophosLabs Offensive Security| Date: Wed, 09 Oct 2019 20:00:31 +0000
Last month started a bit overheated at Microsoft Security, when an out-of-band update was pushed for Windows in order to fix a browser bug being exploited in the wild.
However, Microsoft did not keep up the pace, and October’s Patch Tuesday brings with it fixes for an unusually low number of security vulnerabilities: 56. Of that, 20 are classified as Elevation of Privilege type of bugs, and another 14 as Remote Code Execution bugs. Notably, only 9 of this month’s fixed vulnerabilities are branded critical.
This month’s Patch Tuesday is also lacking the usual accompanying Adobe security update: Microsoft has notified us that Adobe’s security updates for Acrobat are delayed until October 15th.
On top of the modest number of bugs fixed this month, Microsoft was scarce with details shared to its MAPP partners, providing us with minimal information about only 5 of this month’s 56 vulnerabilities. Here’s what we know about a few of them:
Remote Desktop Client Remote Code Execution
We and the computer security press covered RDP (Remote Desktop Protocol) vulnerabilities extensively a few months ago, due to the RDP Server vulnerability “BlueKeep” fixed in this year’s May Patch Tuesday.
This month, Microsoft fixed another bug in RDP, but this time the affected component here is the client side of RDP, whereas previous fixes (such as the one that addressed the BlueKeep vulnerability) targeted the server components. A bug that affects the client-side of RDP means a system is only in danger of being compromised if a user runs the RDP client (the “mstsc.exe” command) to establish a connection to a malicious RDP server set up by an attacker.
When you consider how unlikely it is that such an attack can succeed, it can be safely deemed a low impact bug.
Internet Explorer / Chakra / VBScript Remote Code Execution
CVE-2019-1060, CVE-2019-1238, CVE-2019-1239, CVE-2019-1307, CVE-2019-1308, CVE-2019-1335, CVE-2019-1366, CVE-2019-1371
Adding to the Internet Explorer bug fixed in the out-of-band update, 8 bugs involving Microsoft browsers have been fixed in this rollup: 3 in VBScript, 1 in Internet Explorer, and 4 in Chakra (Edge).
Win32k Elevation of Privilege
One of the 20 vulnerabilities classified as Elevation of Privilege (EoP), CVE-2019-1362 is a memory corruption vulnerability in Win32k – the Kernel-mode side of the Windows graphical component.
In theory, an exploit around an EoP vulnerability could permit an attacker (with limited access to a system) to gain more control over it. When you augment a browser exploit with an EoP exploit, it becomes especially dangerous – it can be used as a “sandbox escape,” breaking the measures put in place to limit the damage a browser exploit alone might cause.
Sophos has released following detection to address the vulnerabilities mentioned above. Please note that additional vulnerabilities and corresponding detection may be released in the future.
How long does it take to have Sophos detection in place?
We aim to add detection to critical issues based on the type and nature of the vulnerabilities as soon as possible. Please note that some detection might not be available due to the availability of the data.
It is mostly not possible to test with Intercept-X due to the nature of the data we receive.
What if the vulnerability/0-day you look for is not covered above?
The most likely reason for this is we did not receive enough information about the vulnerability to create detection.
Please ask your question in the comment area or please escalate questions via LabRequests. The Threat Response team will triage and escalate AV coverage questions to the Emerging Threats team and to the IPS team for Snort signatures.