It's 2019, and Windows PCs can be pwned via a shortcut file, a webpage, an evil RDP server...

Patch Tuesday Microsoft, Adobe, and SAP today delivered a load of security updates for this month's Patch Tuesday.

80 bugs squashed in Redmond

It will be a busy day for admins and users of Windows PCs and servers, as Microsoft has released updates for a total of 80 CVE-listed bugs.

Among the more serious issues addressed this month are CVE-2019-1215 and CVE-2019-1214, a pair of elevation-of-privilege vulnerabilities that have been under active attack in the wild.

In both cases, experts say, miscreants are going after older machines. CVE-2019-1215 preys on Winsock, specifically ws2ifsl.sys, a service that has been targeted by malware since 2007, while the exploit for CVE-2019-1214 is largely looking to target Windows 7 boxes. These flaws can give malware on a machine admin-level access to hijack the whole box.

"This is a fine time to remind you that Windows 7 is less than six months from end of support, which means you won’t be getting updates for bugs like this one next February," said Dustin Childs of the Zero Day Initiative.

"Patch your systems, then work on your upgrade strategy."

Of the bugs classified by Microsoft as critical risks, four were for remote code execution vulnerabilities in Windows remote desktop. CVE-2019-0787 and CVE-2019-0788, CVE-2019-1290, and CVE-2019-1291 all address remote code flaws that could be exploited by a malicious server to take over a victim's PC after its client connects.

"An attacker would have no way of forcing a user to connect to the malicious server, they would need to trick the user into connecting via social engineering, DNS poisoning or using a Man in the Middle (MITM) technique," Microsoft notes.

"An attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect."

As is usually the case, the majority of this month's critical patches address flaws in Microsoft's browser scripting engines. Chakra, VBScript, and IE scripting engine accounted for eight of the critical fixes. In each case, a specially-crafted webpage could be used to remotely execute code on the target's PC.

Companies running Azure DevOps Server and Team Foundation Server will want to patch CVE-2019-1306, a remote code execution bug triggered when the attacker uploads a poisoned file that is then indexed by the vulnerable server.

The .lnk format used for application shortcuts in Windows is the focal point of CVE-2019-1280. The bug would allow an attacker to get a malicious app to execute (with the rights of the current user) by hiding it behind a .lnk file on a removable drive or remote share.

CVE-2019-1235, an elevation of privilege flaw in Windows Text Service Framework and CVE-2019-1294, a security bypass in Secure Boot, should also be a priority to patch as both have been made public already but have yet to be exploited.

Two Flash fixes and an Application Manager patch from Adobe

Adobe had a relatively quiet Patch Tuesday this month as just two updates were issued to address a total of 3 CVE-listed flaws.

For those still using Flash Player, the update brings fixes for CVE-2019-8070 and CVE-2019-8069, a pair of arbitrary code execution flaws from use after free and same origin method execution errors. Neither has been targeted in the wild thus far.

Adobe Application Manager (the installer tool used to unpack Adobe apps) also received an update to address CVE-2019-8076, an arbitrary code execution bug caused by insecure handling of libraries. No exploits have been reported in the wild, yet.

Lucky you, 13 more patches dropped by SAP

Not to be overlooked is the September patch bundle from enterprise giant SAP.

Among the 13 updates issued are two patches for HANA, one for SAP Business Client, and two updates for SAP Diagnostics Agent. ®