It's that time of the month again when Microsoft performs house cleaning tasks by stabilizing services and squashing bugs. That's right folks, it's time for September Patch Tuesday. This month, Microsoft has issued 80 security fixes that spread across 15 services.
According to the company, 17 of those fixes solve critical issues. Indeed, two of the vulnerabilities dealt with this Patch Tuesday are zero-day bugs. These are essentially flaws that are already exploited in the wild.
First up out of those zero-day vulnerabilities is CVE-2019-1214. This is an escalation of privilege (EoP) bug located in the Windows Common Log File System (CLFS) driver. CVE-2019-1215 is also an EoP exploit that has been troubling ws2ifsl.sys (Winsock) service.
Microsoft has not explained how the two bugs were exploited. However, the company credited a security researcher from Qihoo 360 Vulcan Team for disclosing the bug.
Remote Desktop Flaws
In recent months, we have become used to vulnerabilities in the Remote Desktop protocol. Microsoft has been patching issues for some time. For September Patch Tuesday, the company has shored up two vulnerabilities, CVE-2019-1290 and CVE-2019-1291.
Both of these issues were found by internal engineers. As Microsoft has not issued a warning, we guess these flaws are not wormable or remotely executed, like the worrying BlueKeep vulnerability. Speaking of BlueKeep, yesterday a working exploit for the flaw was released as open source.
Of course, vendors who use Microsoft platforms have embraced the Patch Tuesday idea. For example, Adobe and SAP have both released patches for their services this week.
As for Microsoft's patches, you can find all details and fixes on Microsoft's official Security Update Guide portal.