Connect with us

The Online Technology

2 zero-days, 17 critical bugs – Naked Security

Security Watch

2 zero-days, 17 critical bugs – Naked Security


Every now and again, a Microsoft Patch Tuesday update arrives with a bang that sends users scrambling for cover.

Arguably, September 2019’s update earns that description, featuring no fewer than 17 critical flaws (excluding Adobe), plus two zero-day vulnerabilities marked ‘important’ which Microsoft says are being exploited in the wild.

The latter are CVE-2019-1214 and CVE-2019-1215, both elevation of privilege bugs in all versions (7, 8.1, 10, including Servers) of the Windows Common Log File System (CLFS) and ws2ifsl.sys (Winsock), respectively.

Both require local authentication, which means that the exploitation Microsoft is worried about probably depends on being used in conjunction with other vulnerabilities.

But don’t be lulled by the non-critical status – both are dangerous enough to allow an attacker to gain admin privileges.  The difference between ‘important’ and ‘critical’ in this context is just the amount of effort required rather than the trouble it could cause.

In addition, two others marked ‘important’, CVE-2019-1235 (Windows Test Service Framework) and CVE-2019-1294 (Secure Boot Bypass) are in the public domain, which means that exploitation is now a possibility.