Patch Tuesday – October 2019

Black Surface Hero Windows Logo

Microsoft released cumulative updates (CU) for Windows 10 after September’s Patch Tuesday. Late September saw an optional out-of-band CU (KB4524147) released to fix a problem with the print spooler. Then a required CU (KB4524147) came at the beginning of October, expanding on KB4524147 to add an important fix for a scripting engine vulnerability in Internet Explorer (IE). But both updates caused issues for some users, including breaking the Start menu and Windows Search.

The only good news this month is that it’s relatively light on bug fixes and that there are no zero-days to worry about. But because of issues users have been experiencing with Microsoft’s updates for Windows 10 over the past few months, you should make sure you thoroughly test CUs in your environment before rolling them out to all users.

Windows 10, Windows Server 2016, and Windows Server 2019

This month there are just two critical vulnerabilities patched for Windows 10 and Windows Server, both of which are remote code execution (RCE) flaws. The first is in the XML Core Services MSXML parser and how it processes user input. A successful exploit could let an attacker run malicious code and take control of systems. An attacker could trick a user into clicking a specially crafted link and run malicious code remotely. According to Microsoft, this bug only affects Internet Explorer. The second RCE is in the Remote Desktop Client. If a user connects to a malicious server, an attacker could use the flaw to run arbitrary code to install programs, access and change data, and create accounts with full admin rights.

Fixes rated important this month include two RCEs. One is in the Jet Database Engine and how it handles objects in memory. The second is in the Windows Imaging API and is again in how it handles objects in memory. A user would have to open a specially crafted .WIM file to let the attacker execute arbitrary code in the context of the logged in user.

There are also patches for 13 elevation of privilege (EoP) flaws rated as important, including in Internet Information Services (IIS), Windows Setup, Windows Error Reporting, and Windows Power Service. There’s a patch rated important that fixes an issue when Windows Secure Boot improperly restricts access to debugging functionality, which could disclose protected kernel memory.

Microsoft Edge (EdgeHTML)

There are four critical RCEs for EdgeHTML this month, all connected to how the Chakra scripting engine handles objects in memory. Three flaws rated important are fixed for information disclosure and spoofing.

Windows 7 and Windows Server 2008 R2

There’s one critical fix for the same Remote Desktop Client RCE that affects the Windows 10 family. Two important RCEs are patched for the Jet Database Engine issue. There’s a series of patches for EoP issues and one for a security feature bypass vulnerability where a man-in-the-middle attacker could bypass NTLMv2 protection if a client is also sending LMv2 responses. There are also important and critical fixes for Internet Explorer 11.

Microsoft Office 365 ProPlus

Two RCEs rated important get plugged this month. Both are in how Excel handles objects in memory and require users to open a specially crafted Excel file for successful exploitation.

Exchange, SharePoint, and SQL Server

SharePoint Enterprise Server 2013 Service Pack 1 gets an important RCE fix this month, but it is the same issue that affects Excel as reported above. SharePoint Foundation 2013 SP1, SP2, and SP3; and SharePoint Enterprise 2016, all get fixes for important EoP flaws.

Adobe Updates

Flash Player gets updated to version this month, but there’s no information about whether it contains security fixes.

And that’s it until November!