For the September 2019 Patch Tuesday, Microsoft delivered fixes for 80 CVE-numbered security issues (including to actively exploited zero-days), Adobe fixed flaws in Flash Player and Application Manager, and Intel offered solutions and mitigations for two security holes, one of which could allow a side-channel attack aimed at acquiring sensitive data (e.g., keystrokes in a SSH session).
Let’s start with the zero-days exploited in the wild.
CVE-2019-1214 is an elevation of privilege vulnerability in the Windows Common Log File System (CLFS) Driver. CVE-2019-1215 is an elevation of privilege vulnerability in the Winsock IFS Driver (ws2ifsl.sys).
“Both flaws exist due to improper handling of objects in memory by the respective drivers,” says Satnam Narang, senior research engineer at Tenable, and points out that attackers must first gain access to a system before taking advantage of them.
Microsoft reports CVE-2019-1215 being used against both newer and older supported OSes, while CVE-2019-1214 is only being used against older ones.
“This is a fine time to remind you that Windows 7 is less than six months from end of support, which means you won’t be getting updates for bugs like this one next February,” says Trend Micro ZDI’s Dustin Childs, and advises: “Patch your systems, then work on your upgrade strategy.”
(Windows Server 2008 R2 will also be out of extended support and no longer receiving updates as of January 14, 2020.)
Other fixed vulnerabilities of note: