No matter how prepared you are, Patch Tuesday never fails to throw in a surprise.
All supported versions of Windows are affected by two privilege escalation vulnerabilities that have already been exploited in the wild, CVE-2019-1214 and CVE-2019-1215. Since they’re privilege escalation vulnerabilities, they allow attackers to launch programs with elevated administrative privileges. Privilege escalation vulnerabilities are commonly used in combination with remote code execution (RCE) vulnerabilities that don’t grant administrative rights on their own.
Microsoft has also patched four RCE vulnerabilities in Remote Desktop Client, which we’ll look into in detail later in the blog. You must prioritize the patches for all these critical vulnerabilities, but there’s a lot more work to be done this Patch Tuesday.
In total, the Microsoft Patch Tuesday September 2019 updates fix 79 vulnerabilities in different flavors of Windows OS and related products. Of these updates, 17 are rated Critical.
Patch Tuesday updates for Microsoft products
Microsoft Patch Tuesday September 2019 covers vulnerabilities in:
Microsoft Office, including SharePoint
Microsoft Exchange Server
Adobe Flash Player
Team Foundation Server
Here’s a brief look at Microsoft Patch Tuesday September 2019’s most important releases.
Yet another update for Windows Remote Desktop
It has lately become routine for Microsoft to release patches for Remote Desktop. Of the four Remote Desktop vulnerabilities included in this month’s Patch Tuesday, all are RCE vulnerabilities (CVE-2019-0787, CVE-2019-0788, CVE-2019-1290, and CVE-2019-1291). To exploit these vulnerabilities, an attacker would need to get a user to connect to a malicious or compromised Remote Desktop Protocol (RDP) server. An attacker who successfully exploits this vulnerability could execute arbitrary code on the computer of the connecting client. That attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Critical vulnerabilities patched
Of the total 79 vulnerabilities, 17 of them, including the RDP vulnerabilities mentioned earlier, are labeled Critical. Besides the four RDP vulnerabilities, Microsoft has patched eight critical vulnerabilities in scripting engines and browsers, and three in SharePoint. Vulnerabilities under this severity level are easily exploitable and can result in RCE, root-level compromise of servers, or information disclosure, all with little to no interaction on the part of the user. As always, Critical vulnerabilities should be given the utmost importance and remediated first.
Third-party patches: Adobe updates
Adobe, another tech giant, has released only two Critical patches for Flash Player and patched an insecure Dynamic-link library (DLL) loading vulnerability in Application Manager (rated Important).
How to handle Microsoft Patch Tuesday updates for September 2019
The following are a few best practices to tackle Microsoft Patch Tuesday September 2019 and ensure your organization is safe against threat actors leveraging software vulnerabilities.
Prioritize patching for the two privilege escalation vulnerabilities, CVE-2019-1214 and CVE-2019-1215, as well as the four Critical RCE flaws in Remote Desktop Client: CVE-2019-0787, CVE-2019-0788, CVE-2019-1290, and CVE-2019-1291.
Automate all other Critical and Important updates right after that.
Schedule Patch Tuesday updates to go out during non-business hours to prevent downtime.
Create a test group to verify the stability of Patch Tuesday updates before rolling them out to production machines.
Decline less critical patches to prioritize important issues.
Postpone or schedule reboots for critical machines and servers.
Run patch reports to ensure network endpoints are up-to-date with the latest patches.
If you’re a sysadmin, you probably know what this means for you: a week full of testing and deploying updates on thousands of machines and troubleshooting patch failures, and then another week or so of waiting for hotfixes to mend issues in patches that were already released to patch issues.
Don’t worry, we’ve got you covered.
ManageEngine offers two solutions—Desktop Central and Patch Manager Plus. Both help you automate all the best practices mentioned above from one central console. Try both solutions free for 30 days to keep more than 750 applications, including over 300 third-party applications, up-to-date.
Don’t miss out on our webinar on Patch Tuesday September 2019. We’ll have a rundown on September Patch Tuesday updates, analysis of critical vulnerabilities, as well as discussion of the impact of ignoring this month’s patches and other complexities that come along with patching these vulnerabilities. Register now!