Microsoft Patching 60 Vulnerabilities in October Security Release
October is not looking like it's a too frightful of a patch month, with 60 software vulnerabilities getting addressed in Microsoft's "update Tuesday" security release.
Of that bunch, nine patches are addressing software vulnerabilities that are rated "Critical," with the rest deemed "Important," according to a count by Cisco's Talos security researcher Jon Munshaw in an announcement. The official list is Microsoft's "Security Update Guide" (69 pages), but there's also a shorter "Security Update Summary" (three pages).
None of the vulnerabilities getting addressed by Microsoft's bundle of patches were listed as being under attack or publicly known, according to Dustin Childs, a security researcher with Trend Micro's Zero Day Initiative, in an announcement. He described this month's release as being on the "smaller side."
IE Vulnerability Redux
Childs took a moment to reflect back on a Critical- and "Moderate"-rated Internet Explorer (IE) browser out-of-band patch (CVE-2019-1367) that was released by Microsoft back on Sept. 23.
He noted that this patch was rereleased on Oct. 3 to address problems with the first version, but there were still some reports about "printing issues" associated with it. Microsoft's latest note (dated Oct. 8) in its security bulletin stated that Tuesday's releases will "address a known printing issue customers might have experienced" after applying those IE patches.
Munshaw listed the nine Critical common vulnerabilities and exposures (CVEs) in this month's bundle as follows:
- CVE-2019-1333, a client-side remote code execution (RCE) flaw in Remote Desktop Services (RDS). It requires getting an end user to connect to a "malicious server."
- CVE-2019-1238 and CVE-2019-1239, RCE flaws associated with VBScript's memory handling process, which involves getting end users to visit a "malicious Website" using IE.
- CVE-2019-1307, CVE-2019-1308, CVE-2019-1335 and CVE-2019-1366, memory corruption vulnerabilities in the Microsoft Edge browser's Chakra Scripting Engine.
- CVE-2019-1372, an elevation-of-privilege flaw in Azure Stack associated with using the Azure App Service.
- CVE-2019-1060, an RCE flaw in Microsoft XML Core Services.
Important Updates and NTLM Flaws
Childs noted that there's an Important October patch for an elevation-of-privilege flaw in Microsoft's IIS Server that exploits a buffer overflow issue. "Given the importance of most IIS servers in an enterprise, definitely put this near the top of your test-and-deploy list," he added.
Another noteworthy Important October patch (CVE-2019-1166) addresses a tampering flaw in NT LAN Manager (NTLM). This vulnerability and a separate Windows NTLM bypass vulnerability (CVE-2019-1338) were discovered by researchers at Preempt, a San Francisco-based company focused on identity access security solutions.
NTLM is an old challenge-and-response authentication protocol that's still used in Windows systems, even though Microsoft recommends using Kerberos instead. Microsoft has added some protections to NTLM, such as Message Integrity Code (MIC), which wards off NTLM relay attacks, but Preempt found a way get around it. Here's how its researchers characterized the two CVEs in a detailed Preempt blog post:
For an overview of the MIC and the first vulnerability we discovered, you can review our previous blog post. In CVE 2019-1166, we were able to bypass the MIC protection, overcoming the fix for our previously disclosed vulnerability on the issue. In CVE-2019-1338, we were able to bypass the MIC protections, along with other NTLM relay mitigations such as EPA and the GPO for SPN target name validation for clients which add an LMv2 response to their NTLM authentication.
MIC helps ensure that NTLM messages don't get tampered with, according to Yaron Zinar, a security researcher at Preempt. He said via e-mail that these NTLM flaws are "relatively very easy [to exploit] if server signing is not enabled (which is the default settings)," but they are "near impossible [to exploit] if server signing is enabled -- which is our main recommendation."
Preempt also recommends applying the patches, using detection and prevention solutions for NTLM relay attack attempts, and avoiding weak clients. Also, getting rid of NTLM use, if possible, is recommended.
The Preempt blog included a description about the security of client responses during NTLM authentication. It noted that Mozilla's Firefox browsers on Linux and macOS machines send LMv2 responses that could lead to "bypassing various NTLM relay mitigations" when NTLMv2 responses are added.
Zinar said that Mozilla is aware that its NTLM implementation in Firefox is "weaker than it should be." He added that "they are not aware, as far as I know, that LMv2 has such a serious vulnerability as of yet. Using Firefox with NTLM enabled and no server signing is still risky."
Preempt sells a solution that's designed to add visibility on such NTLM issues. It also offers a free Preempt Lite solution that can be used to identify network vulnerabilities.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.