Microsoft Patch Tuesday Fixes 59 Flaws

Microsoft has issued its monthly security (Patch Tuesday) update, to fix a total of 59 vulnerabilities in its operating systems and products.

There was no zero-day flaws in the October update that required urgent patching (good new for systems admins), but 9 nine flaws were rated as critical, with 49 flaws rated as important. One flaw was rated moderate.

The update cover a range of Microsoft products including Windows 10, Internet Explorer, Edge, Microsoft Office, SQL Server and and some development tools.

Quiet Patch Tuesday?

Microsoft has resolved a total of 59 vulnerabilities with no reported exploits or public disclosures,” noted Chris Goettl, director of security solutions at Ivanti. “One might almost call this a quiet Patch Tuesday if not for the anxiety over the IE zero-day and fallout of reported issues that resulted over the past week.”

Microsoft released Servicing Stack Updates (ADV990001) for all but Windows 7, Server 2008 and Server 2008 R2,” said Goettl. “SSUs are separate from the regular cumulative and security-only updates released by Microsoft.”

“As you test updates this month keep in mind the IE zero-day that originally released on September 23,” he added. “The IE zero-day (CVE-2019-1367) released for Windows 10 through cumulative updates for 1903 back to 1703, Server 2019 and Server 2016, but an IE rollup for pre Windows 10 systems needed to be manually downloaded.

“On September 24 optional non-security cumulative updates for Windows 10 and monthly rollup previews for pre-win10 systems released and while Microsoft did not specify, the IE Zero Day fix was included in these non-security updates,” he added.

Goettl noted that this update cycle did not include patches for Adobe Flash Player.

“This makes three Patch Tuesday’s in 2019 that Flash did not release to resolve security vulnerabilities,” he warned. “If you have not already eliminated Flash from your environments it would be wise to begin. Usage is falling off steadily and as such it is getting less attention.”

He also point out that Oracle should release its security updates on next Tuesday, 15 October.

Another security expert also noted the light load of patches this month.

“Microsoft’s security update for the month of October is one of the lightest patch Tuesdays of the year with the release of only 60 CVEs,” blogged Trustwave.

“However, it still packs a punch with 9 “Critical” CVEs and the remaining 51 CVEs are rated as “Important”,” the vendor wrote.

“The good news is that none of these CVEs have publicly available exploits or been seen yet exploited in the wild,” Trustwave added. “Additionally, there are no rollup patch for Adobe Flash which is very uncommon. However, it shouldn’t be ruled out possibly an out-of-band roll-out for Adobe Flash later this month.”

“One of the most severe vulnerabilities on the “Critical” list could allow a Remote Desktop Protocol (RDP) server running specifically crafted code to achieve Remote Code Execution (RCE) on a Windows RDP client known as CVE-2019-1333,” it warned.

Another security expert also picked up the lack of zero-day flaws.

“This month’s Patch Tuesday release contains updates for nearly 60 CVEs, including nine vulnerabilities rated critical,” said Satnam Narang, senior research engineer at Tenable. “There were no vulnerabilities exploited in the wild this month, nor were any publicly disclosed prior to Patch Tuesday.”

Do you know all about security? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Facebook Will Allow Permanent Work From Home

Another tech firm, this time Facebook, commits to allowing staff to work from home forever…

2 days ago

Twitter Tests Option To Limit Who Can Reply To Tweets

Online abuse clampdown. Twitter confirms it is testing new conversation settings that will allow users…

2 days ago

IBM To Cut Thousands Of Jobs, But Will Still Pay Shareholders

Another round of layoffs is on the cards for IBM employees, as new CEO swings…

2 days ago

Securing The DARQ Future

Distributed Ledger Technologies (DLT), Artificial Intelligence (AI), Extended Reality (XR) and Quantum Computing expand (DARQ),…

3 days ago

Shopify To Allow Staff To Work From Home Permanently

Post Coronavirus world. Canadian e-commerce firm Shopify joins Twitter in saying it will allow staff…

3 days ago

Intel Acquires Rivet Networks For Killer Cards

Wi-Fi connectivity. Company behind the Killer gaming networking cards (Rivet Networks) is acquired by chip…

3 days ago