Microsoft gave administrators a relatively light workload for October Patch Tuesday, which includes an update to correct stubborn printing problems that originated from an Internet Explorer zero-day fix.
Microsoft resolved 59 unique vulnerabilities with nine bugs rated critical in its October Patch Tuesday security updates. Software with fixes this month include Windows, Internet Explorer, Microsoft Edge, ChakraCore, Microsoft Office and Office Services and Web Apps, Windows Update Assistant, SQL Server Management Studio, Microsoft Dynamics 365 and the Open Enclave software development kit.
Administrators do not have a public disclosure to mitigate or a zero-day patch to deploy this month. Microsoft initially reported two zero-days (CVE-2019-1214 and CVE-2019-1215) on September Patch Tuesday but revised its advisories the next day to indicate neither vulnerability was actively exploited.
Four critical vulnerabilities (CVE-2019-1307, CVE-2019-1308, CVE-2019-1335 and CVE-2019-1366) relate to remote-code execution flaws in the Chakra scripting engine in Microsoft Edge running on Windows 10. The bug also affects Windows Server 2016 and Windows Server 2019 but has a moderate rating for both. Microsoft's patch adjusts the way the Chakra scripting engine handles objects in memory.
Microsoft addressed problems related to the Remote Desktop Protocol with fixes in all supported Windows versions for a critical Remote Desktop Client vulnerability (CVE-2019-1333) and an important denial-of-service vulnerability (CVE-2019-1326) in the Remote Desktop Protocol.
Microsoft corrected an IIS server elevation-of-privilege vulnerability (CVE-2019-1365) rated important that affects all supported Windows systems, but administrators should focus on patching Windows Server systems running as web servers. The patch fixes the IIS server's abilities to sanitize web requests to prevent an attacker from escaping the server's sandbox.
Microsoft addresses fallout from faulty patch
Many administrators who applied a recent out-of-band zero-day fix for Internet Explorer discovered an unwanted side effect on Windows client machines when users encountered printing problems.
Microsoft released a patch for a remote code execution vulnerability (CVE-2019-1367) in Internet Explorer on September 23 as a manual download. The bug, rated critical for supported Windows client OSes and moderate for Windows Server versions, allowed attackers to run code in the context of the current user to obtain the same rights as that user. In one scenario, an attacker could host the zero-day exploit on a website then use a link sent via email to entice unsuspecting users.
"For all applicable installations of Internet Explorer 9, 10 and 11, Windows customers should upgrade to the latest version to resolve that issue, so the third time's the charm," said Chris Goettl, director of product management and security at Ivanti, a security and IT management vendor based in South Jordan, Utah.
Chris GoettlDirector of product management and security, Ivanti
The urgency associated with zero-day patches coupled with the potential risk of a faulty patch after a rapid deployment typifies the struggle many IT workers grapple with regularly. Of the 16,500 CVEs reported in 2018, just 7 percent were either disclosed or exploited in a way that presented a legitimate threat, Goettl said.
"We've got a huge amount of noise that we've got to sift through to figure out what actually needs to be prioritized," he said.
The consequences from this recent IE zero-day patch might linger with an administrator who wanted to keep the organization secure by deploying the fix quickly but was unable to do enough testing before pushing it to production machines.
"There's a tipping point where the risk increases to the point where you've just got to do it and take the impact or you're risking exposure and that leads to breaches, ransomware attacks and everything that we're seeing across the globe," Goettl said.
Most Windows systems get another servicing stack update
One month after Microsoft updated the servicing stack for all Windows OSes, the company released another set of updates for all supported Windows systems, except for Windows 7 and Windows Server 2008/2008R2.
Administrators usually have about two months to apply these types of updates before Microsoft drops support, Goettl said. He recommended IT pros start early with their testing procedure to avoid a last-minute rush to deploy the updates. It's not clear if the October releases supersede the September ones, but Goettl said, with rare exceptions, that's usually been the case.
One other point of clarification: Administrators should not assume, if they've applied the latest Patch Tuesday releases, that this includes the servicing stack updates. Microsoft delivers servicing stack updates separately as a recommended update, not a security update.
Threats aimed at Adobe Flash Player continue to diminish
Adobe did not release a security update for Flash Player, which Microsoft has traditionally included with Patch Tuesday releases as a courtesy for its customers. Adobe announced it would end support for Flash Player in December 2020, which may contribute to waning interest as enterprises shift to HTML5 and other alternatives. It was the third Patch Tuesday in 2019 without a Flash Player fix, according to Goettl.
"The message there is Flash is in decline. Adobe is shifting its efforts elsewhere and white hats are spending less time on it as well," he said. "If Flash is in your environment, it's not that it's less vulnerable, but there's less attention on it."