On what is being considered a quiet Patch Tuesday for Microsoft, they fixed 59 vulnerabilities, nine rated critical. CVE-2019-1366, CVE-2019-1307, CVE-2019-1308, and CVE-2019-1335 are all memory corruption bugs and rated critical. The issue arises when the Chakra scripting engine is responsible for specific objects in memory within the Microsoft Edge web browser. If exploited, these flaws can set off remote code execution, which could allow attackers to install programs, manipulate data, and create privileged accounts. Two VBScript RCEs within Internet Explorer were patched (CVE-2019-1238 and CVE-2019-1239) as well. CVE-2019-1333 is another RCE bug that affects the Windows Remote Desktop Client when users connect to a malicious server. “To exploit this vulnerability, an attacker would need to have control of a server and then convince a user to connect to it,” Microsoft stated in their advisory. “An attacker would have no way of forcing a user to connect to the malicious server, they would need to trick the user into connecting via social engineering, DNS poisoning or using a Man in the Middle (MITM) technique. An attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect.” The final two critical bugs that were patched were CVE-2019-1060, which is an RCE in XML Score Services’ MSXML parser, and CVE-2019-1372, an RCE bug in the Azure App Service. Issues that affected SQL Server Management Studio and Dynamics 365 were also dealt with but were not rated critical. This is an unusual Patch Tuesday because of the fact that no zero-days were found, and no vulnerabilities were publicly disclosed.
Analyst Notes
Anyone who uses Microsoft’s services should implement these fixes if they are not automatically done as soon as possible. Other companies should make fixing vulnerabilities a common practice on the second Tuesday of every month as Microsoft does.
