September 20, 2020

RDP Client/Excel/SharePoint Remote Code Execution Vulnerability Alert

4 min read

On September 11, 2019, Microsoft released a security update for September. The security update covers Windows, IE, Edge, ChakraCore, Office Services, Skype, Visual Studio, .NET Framework, Exchange Server, Microsoft Yammer, Team Foundation Server. A total of 80 CVEs, 17 high-risk vulnerabilities, and 62 intermediate-risk vulnerabilities. Among them, the more prominent one is 3 local privilege elevation vulnerabilities, RDP Client Remote Code Execution Vulnerability, SharePoint Remote Code Execution Vulnerability, Excel Remote Code Execution Vulnerability. Users are advised to update the system and install Windows patches in time to avoid attacks.

Windows zero day flaws

CVE-2019-1215 – Windows Winsock2 Integrated File System Local Privilege Escalation Vulnerability

Local Privilege Escalation (LPE) in the Winsock2 integrated file system layer (ws2ifsl.sys). An attacker who exploited this vulnerability could be promoted from the normal user level to the administrator level. Microsoft reported that the vulnerability is being widely used. At the same time, this file has been the target of malware in the past, and the attack history can be traced back to 2007.

CVE-2019-1214 – Windows Universal Log File System Driver Local Privilege Escalation Vulnerability

This vulnerability is in the Common Log File System (CLFS) driver. Attackers can be promoted from the normal user level to the management level.

CVE-2019-1289 – Windows Update Delivery Optimization Component Local Privilege Escalation Vulnerability

Windows Update Delivery Optimization (WUDO) is a new feature added to Windows 10. This component is designed to reduce network bandwidth usage by having the computer get updates from other peers that have downloaded updates on the network. Local attackers can exploit this vulnerability to overwrite files that they typically do not have access to. This directly leads to local privilege escalation.

CVE-2019-1257 – Microsoft SharePoint Remote Code Execution Vulnerability

The vulnerability is one of the three key deserialization vulnerabilities in SharePoint. An attacker could upload a specially crafted SharePoint application package to an affected server. This will cause malicious code to be executed on the server.

CVE-2019-0787/CVE-2019-0788/CVE-2019-1290/CVE-2019-1291 Windows RDP Client Remote Code Execution Vulnerability

These four vulnerabilities are vulnerabilities with a rating of Critical. This series of vulnerabilities are different from the May BlueKeep vulnerability (CVE-2019-0708) and the August DejaBlue vulnerability (CVE-2019-1181/1182). This series of vulnerabilities is a vulnerability that appears on the client-side. Remote code execution is triggered when the victim is connected to a malicious server. There is no dissemination and extensiveness like the previous vulnerability. But it is still a serious security risk.

CVE-2019-1208/CVE-2019-1236 VBScript Remote Code Execution Vulnerability

VBScript is a scripting language developed by Microsoft. It can be regarded as a simplified version of VB language. It is also very closely related to Visual Basic for Applications. It has the characteristics of easy learning in the original language. Currently, this language is widely used in web page and ASP program production, and can also be directly used as an executable program.

The details of this vulnerability have not been made public.

CVE-2019-1280 LNK Remote Code Execution Vulnerability

This series of vulnerabilities has always caused widespread concern. This vulnerability is a remote code execution vulnerability that occurs during the processing of LNK files by Microsoft Windows systems. When a vulnerable computer is plugged into a U disk with a Trojan horse, no additional operations are required, and the exploit program can completely control the user’s computer system. The vulnerability may also be triggered and exploited by users accessing network shares, downloading from the Internet, copying files, and so on.

A vulnerability can be triggered under any of the following conditions:

1. The system starts the U disk autoplay function, inserts the U disk, the vulnerability triggers

2, accesses the file directory through the network share, and directly accesses the file directory.

The details of this vulnerability have not been made public.

CVE-2019-1233 Exchange Denial of Service Vulnerability

Microsoft Exchange Server is a set of email service components from Microsoft Corporation. In addition to traditional email access, storage, and forwarding, a number of accessibility features such as voicemail, email filtering, and OWA (Web-based email access) have been added to the new version. Exchange Server supports a variety of email network protocols such as SMTP, NNTP, POP3, and IMAP4. Exchange Server is perfectly integrated with Microsoft’s Active Directory. The vulnerability could close an affected server by sending an auth malicious message to the attacker without user interaction.

The details of this vulnerability have not been made public.

CVE-2019-1240/CVE-2019-1241/CVE-2019-1242/CVE-2019-1243 Jet Database Engine Remote Code Execution Vulnerability

Microsoft Jet is Microsoft’s database engine (Database Engine) developed for file-based databases. It has a wide variety of data sources, such as Microsoft Access, Microsoft Excel, dBase, and other file-type data sources.

The Microsoft Jet database engine is accessed using SQL instructions. The JET database engine is bundled with Windows and used by multiple windows products.

The details of this vulnerability have not been made public.

CVE-2019-1297 Excel Remote Code Execution Vulnerability

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1297)