Microsoft Patch Tuesday Fixes 59 Flaws

Microsoft has issued its monthly security (Patch Tuesday) update, to fix a total of 59 vulnerabilities in its operating systems and products.

There was no zero-day flaws in the October update that required urgent patching (good new for systems admins), but 9 nine flaws were rated as critical, with 49 flaws rated as important. One flaw was rated moderate.

The update cover a range of Microsoft products including Windows 10, Internet Explorer, Edge, Microsoft Office, SQL Server and and some development tools.

Quiet Patch Tuesday?

Microsoft has resolved a total of 59 vulnerabilities with no reported exploits or public disclosures,” noted Chris Goettl, director of security solutions at Ivanti. “One might almost call this a quiet Patch Tuesday if not for the anxiety over the IE zero-day and fallout of reported issues that resulted over the past week.”

Microsoft released Servicing Stack Updates (ADV990001) for all but Windows 7, Server 2008 and Server 2008 R2,” said Goettl. “SSUs are separate from the regular cumulative and security-only updates released by Microsoft.”

“As you test updates this month keep in mind the IE zero-day that originally released on September 23,” he added. “The IE zero-day (CVE-2019-1367) released for Windows 10 through cumulative updates for 1903 back to 1703, Server 2019 and Server 2016, but an IE rollup for pre Windows 10 systems needed to be manually downloaded.

“On September 24 optional non-security cumulative updates for Windows 10 and monthly rollup previews for pre-win10 systems released and while Microsoft did not specify, the IE Zero Day fix was included in these non-security updates,” he added.

Goettl noted that this update cycle did not include patches for Adobe Flash Player.

“This makes three Patch Tuesday’s in 2019 that Flash did not release to resolve security vulnerabilities,” he warned. “If you have not already eliminated Flash from your environments it would be wise to begin. Usage is falling off steadily and as such it is getting less attention.”

He also point out that Oracle should release its security updates on next Tuesday, 15 October.

Another security expert also noted the light load of patches this month.

“Microsoft’s security update for the month of October is one of the lightest patch Tuesdays of the year with the release of only 60 CVEs,” blogged Trustwave.

“However, it still packs a punch with 9 “Critical” CVEs and the remaining 51 CVEs are rated as “Important”,” the vendor wrote.

“The good news is that none of these CVEs have publicly available exploits or been seen yet exploited in the wild,” Trustwave added. “Additionally, there are no rollup patch for Adobe Flash which is very uncommon. However, it shouldn’t be ruled out possibly an out-of-band roll-out for Adobe Flash later this month.”

“One of the most severe vulnerabilities on the “Critical” list could allow a Remote Desktop Protocol (RDP) server running specifically crafted code to achieve Remote Code Execution (RCE) on a Windows RDP client known as CVE-2019-1333,” it warned.

Another security expert also picked up the lack of zero-day flaws.

“This month’s Patch Tuesday release contains updates for nearly 60 CVEs, including nine vulnerabilities rated critical,” said Satnam Narang, senior research engineer at Tenable. “There were no vulnerabilities exploited in the wild this month, nor were any publicly disclosed prior to Patch Tuesday.”

Do you know all about security? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Microsoft Blames 2009 EU Agreement For World’s Biggest IT Outage

Redmond says EU deal gave CrowdStrike the keys to the Windows kernel, allowing last week's…

1 hour ago

Wisk Plans Autonomous Air Taxi Flights By Decade’s End

Boeing-owned start-up Wisk plans autonomous eVTOL flights by end of decade as companies crowd into…

1 day ago

US Cracks Down On Tech Shipments To Russia

Shipments of high-end chips and other electronics to Russia via China and Hong Kong said…

1 day ago

Double-Digit Growth For Google Expected Amidst AI Push

Google expected to see double-digit revenue and profit growth for second quarter amidst AI cloud…

1 day ago