Nine critical flaws patched, and the good news is there no-zero-day flaws requiring system admin attention
Microsoft has issued its monthly security (Patch Tuesday) update, to fix a total of 59 vulnerabilities in its operating systems and products.
There was no zero-day flaws in the October update that required urgent patching (good new for systems admins), but 9 nine flaws were rated as critical, with 49 flaws rated as important. One flaw was rated moderate.
The update cover a range of Microsoft products including Windows 10, Internet Explorer, Edge, Microsoft Office, SQL Server and and some development tools.
Quiet Patch Tuesday?
Microsoft has resolved a total of 59 vulnerabilities with no reported exploits or public disclosures,” noted Chris Goettl, director of security solutions at Ivanti. “One might almost call this a quiet Patch Tuesday if not for the anxiety over the IE zero-day and fallout of reported issues that resulted over the past week.”
Microsoft released Servicing Stack Updates (ADV990001) for all but Windows 7, Server 2008 and Server 2008 R2,” said Goettl. “SSUs are separate from the regular cumulative and security-only updates released by Microsoft.”
“As you test updates this month keep in mind the IE zero-day that originally released on September 23,” he added. “The IE zero-day (CVE-2019-1367) released for Windows 10 through cumulative updates for 1903 back to 1703, Server 2019 and Server 2016, but an IE rollup for pre Windows 10 systems needed to be manually downloaded.
“On September 24 optional non-security cumulative updates for Windows 10 and monthly rollup previews for pre-win10 systems released and while Microsoft did not specify, the IE Zero Day fix was included in these non-security updates,” he added.
Goettl noted that this update cycle did not include patches for Adobe Flash Player.
“This makes three Patch Tuesday’s in 2019 that Flash did not release to resolve security vulnerabilities,” he warned. “If you have not already eliminated Flash from your environments it would be wise to begin. Usage is falling off steadily and as such it is getting less attention.”
He also point out that Oracle should release its security updates on next Tuesday, 15 October.
Another security expert also noted the light load of patches this month.
“Microsoft’s security update for the month of October is one of the lightest patch Tuesdays of the year with the release of only 60 CVEs,” blogged Trustwave.
“However, it still packs a punch with 9 “Critical” CVEs and the remaining 51 CVEs are rated as “Important”,” the vendor wrote.
“The good news is that none of these CVEs have publicly available exploits or been seen yet exploited in the wild,” Trustwave added. “Additionally, there are no rollup patch for Adobe Flash which is very uncommon. However, it shouldn’t be ruled out possibly an out-of-band roll-out for Adobe Flash later this month.”
“One of the most severe vulnerabilities on the “Critical” list could allow a Remote Desktop Protocol (RDP) server running specifically crafted code to achieve Remote Code Execution (RCE) on a Windows RDP client known as CVE-2019-1333,” it warned.
Another security expert also picked up the lack of zero-day flaws.
“This month’s Patch Tuesday release contains updates for nearly 60 CVEs, including nine vulnerabilities rated critical,” said Satnam Narang, senior research engineer at Tenable. “There were no vulnerabilities exploited in the wild this month, nor were any publicly disclosed prior to Patch Tuesday.”
Do you know all about security? Try our quiz!