This month’s Patch Tuesday addresses 74 vulnerabilities, with 16 labeled as Critical. Eight of the Critical vulns are for scripting engines and browser components, impacting Microsoft browsers and Office, along with another 5 Critical vulns in MSXML. Two Critical remote code execution (RCE) vulnerabilities are patched in GDI+ and IOleCvt. Two privilege escalation vulns in Win32k are reported as Actively Attacked, while another in the Windows AppX Deployment Service has a public PoC exploit.
Scripting Engine and MSXML patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
Actively Attacked Privilege Escalation in Win32k
Two vulnerabilities (CVE-2019-0803 & CVE-2019-0859) exist in Win32k that could lead to privilege escalation if exploited. Microsoft reports both of these vulnerabilities as Actively Attacked. Patching should be prioritized for both Workstations and Servers.
Windows AppX Deployment Service Privilege Escalation PoC
Another privilege escalation vulnerability exists in the Windows AppX Deployment Service (AppXSVC). This service is responsible for the deployment of Windows Store apps. The vulnerability involves the service’s handling of hard links. A PoC has been made available in the public domain. Patching should be prioritized for both Workstations and Servers, as this service exists on both Windows 10 and Server 2019.
RCE vulns in GDI+ and IOleCvt
Two Critical remote code execution (RCE) vulnerabilities are patched in GDI+ and IOleCvt. These vulnerabilities require user interaction, and patching should be prioritized for workstation-type systems.
Privilege Escalation in SMB Server
A privilege escalation vulnerability was patched in the SMB Server. Exploiting this vulnerability requires the attacker to be logged into the target system and access to a malicious file via SMB.
Adobe released a large number of patches today including Flash Player, Acrobat and Reader, Shockwave Player, Dreamweaver, Adobe XD, InDesign, Experience Manager Forms, and Bridge CC. The Flash Player patch covers 1 Critical RCE and 1 Important vuln. Microsoft also ranks the Flash patches as Critical. The Acrobat/Reader patches cover 21 different vulnerabilities, 11 of which are Critical RCE. Adobe Flash and Acrobat/Reader patches should be prioritized for workstation-type systems.