October 2019 Patch Tuesday: A small batch of updates from Microsoft, none from Adobe
As predicted by Ivanti’s Chris Goettl, October 2019 Patch Tuesday came with a relatively small number of Microsoft updates and, curiously enough, with no security updates from Adobe.
There is no report of any of the Microsoft bugs being exploited, but there is public PoC code for and info about a local privilege escalation flaw in Windows Error Reporting (CVE-2019-1315).
Microsoft’s patches
Microsoft has addressed nearly 60 vulnerabilities, nine of which are critical.
Seven of those affect browsers and scripting engines (Chakra, MS XML, VBScript) so, according to Jimmy Graham, Senior Director of Product Management at Qualys, they should be prioritized for any system that is used for email or to access the internet via a browser (i.e., workstations, multi-user servers that are used as remote desktops for users).
The other two are CVE-2019-1333, a remote code execution (RCE) flaw in the Windows Remote Desktop Client, and CVE-2019-1372, a RCE in Azure App Service.
To take advantage of the former, an attacker must trick users into connecting to a malicious or compromised RDP server controlled by them or intercept and re-route traffic to it. Also, since the flaw is client-side, it’s not wormable and, therefore, not as dangerous as the BlueKeep or DejaBlue bugs.
“Although listed as an RCE, you could look at [the Azure App Service RCE] as an Elevation of Privilege (EoP). These bugs rarely get listed as Critical severity, but this one certainly earns its rating,” says Trend Micro ZDI’s Dustin Childs.
“An attacker could use this vulnerability to have an unprivileged function run by a user execute code at the level of System. That provides an attacker a nifty sandbox escape. Microsoft gives this an ‘Exploitation Less Likely’ Exploit Index rating, but if you use the Azure App Service, don’t depend on that and do apply the patch.”
Childs also urges enterprises running Microsoft IIS servers to plug CVE-2019-1365 as soon as possible. “Similar to the previously mentioned Azure bug, an attacker could use this vulnerability to execute code as System and escape the sandbox. Given the importance of most IIS servers in an enterprise, definitely put this near the top of your test-and-deploy list,” he noted.
Finally, there’s the latest servicing stack updates (SSUs) for a variety of Windows and Windows Server editions, including Windows 7 and Windows Server 2008 R2, which will be out of extended support and no longer receiving updates as of January 14, 2020. These are also deemed to be critical – although that doesn’t mean that they contain any CVE fixes.
“The service stack is the Windows operating system component responsible for processing and deploying the OS and application patches/updates,” Goettl explained.
“SSUs should always be applied prior to all other updates to ensure a successful outcome. And while strongly recommended, but not specifically required, Microsoft states, ‘If you don’t install the latest servicing stack update, there’s a risk that your device can’t be updated with the latest Microsoft security fixes.'”
As a side note: it might be good for admins to implement the emergency Internet Explorer and Microsoft Defender fixes the company released on September 24 (if they haven’t already). The IE fix was initially available only as a manual update, then later via Windows Update.
Intel’s updates
This month’s Intel’s fixes are for:
- Two medium severity privilege escalation flaws in the Intel Active System Console for Intel Server Boards and Systems and Intel Smart Connect Technology for Intel NUC
- High severity EoP, DoS and information disclosure bugs in the system firmware for Intel NUC (affecting the Game Mini Computer and various versions of the NUC kit and board).
No updates from Adobe
As mentioned before, Adobe did not release any security updates on this Patch Tuesday. The latest ones were released on September 24, and were out-of-band updates for ColdFusion 2016 and 2018.