September 2019 Patch Tuesday – 79 Vulns, 17 Critical, Remote Desktop Client, SharePoint, Exploited PrivEsc

Jimmy Graham

Last updated on: October 27, 2022

This month’s Microsoft Patch Tuesday addresses 79 vulnerabilities with 17 of them labeled as Critical. Of the 17 Critical vulns, 8 are for scripting engines and browsers, 4 are for the Remote Desktop Client, and 3 are for SharePoint. In addition, Microsoft has again patched a critical vulnerability in LNK files, along with a vuln in Azure DevOps / TFS. Adobe has also released patches for Flash and Application Manager.

Update: Following Patch Tuesday, Microsoft updated the entries for CVE-2019-1214 and CVE-2019-1215 to remove the “exploited” label.

Workstation Patches

Scripting Engine, Browser, and LNK patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.

Remote Desktop Client

Microsoft has patched four remote code execution (RCE) vulnerabilities in the Remote Desktop Client: CVE-2019-0787, CVE-2019-0788, CVE-2019-1290, and CVE-2019-1291. To exploit these vulnerabilities an attacker would need to get a user to connect to a malicious or compromised RDP server. The vulnerabilities were discovered by Microsoft as a result of internal vulnerability testing against the Remote Desktop Client. These patches should be prioritized on all systems where the Remote Desktop Client is used.


Microsoft has also released patches covering three RCE vulnerabilities in SharePoint: CVE-2019-1257, CVE-2019-1295, and CVE-2019-1296. One involves uploading a malicious application package, while the other two are deserialization vulnerabilities in the SharePoint API. These patches should be prioritized for all SharePoint servers.

Azure DevOps Server / Team Foundation Server

Azure DevOps Server and Team Foundations Server (TFS) are affected by a Remote Code Execution vulnerability (CVE-2019-1306) that is exploited through malicious file uploads. Anyone who can upload a file can run code in the context of the Azure DevOps / TFS account. This includes anonymous users if the server is configured to allow it. This patch should be prioritized for any Azure DevOps or TFS installations.

Actively Attacked Privilege Escalation

Microsoft has also patched two privilege escalation vulnerabilities that have been exploited in the wild. CVE-2019-1214 is a vulnerability in the Common Log File System (CLFS) driver, and CVE-2019-1215 applies to the Winsock driver. These impact all supported versions of Windows, and patching should be prioritized. Privilege escalation vulnerabilities are commonly used along with Remote Code Execution where the RCE does not grant administrative rights.

Update: Following Patch Tuesday, Microsoft updated their entries for CVE-2019-1214 and CVE-2019-1215 to remove the “exploited” label.


Today was a light release for Adobe. They have fixed two critical vulnerabilities in Flash Player, which should be prioritized on any workstation-type systems. Adobe also fixed an Important-rated insecure DLL loading vulnerability in Application Manager.

Show Comments (2)


Your email address will not be published. Required fields are marked *

  1. Microsoft changed exploited designation for both CVE-2019-1214 and CVE-2019-1215 from Yes to No, and have sent an e-mail bulletin “Microsoft Security Update Minor Revisions” to inform customers of that change. Do you have some other source for information in this article or is there an out-of-date information in this article now?