October is here and fall is in the air, even in Texas. Temperature dropped this past week from highs in the 90s to lows in the 50s (Fahrenheit). The state fair is in full swing here, and the stores are full of Halloween decorations.
But to us IT security folks, ghosts and goblins aren’t nearly as scary the real-world threats that we face every day: ransomware, computer viruses, spyware, phishing schemes, rootkits, bots and botnets, and many more types of cyberattacks.
Unlike horror story ghouls, though, they don’t have supernatural powers. Instead, many of them rely on vulnerabilities in software applications and operating systems to allow them to slip into our networks and onto our devices.
The good news is that means there are ways to protect against them, and one of the most basic ways is to keep up to date on security patches. This month’s Patch Tuesday falls on October 8th and brings us a healthy slate of updates for all of the company’s currently supported operating systems and its pair of web browsers, with fixes for security issues – a few of them critical – across those product lines.
Now let’s look at some of the specifics of this month’s software updates and the vulnerabilities that they address.
As usual, the largest number of vulnerabilities patched are in Windows 10 and the two most recent server OS versions, 2016 and 2019. All versions of the Windows OS received fixes for critical vulnerabilities. Windows 10 version 1809 receives patches for nineteen vulnerabilities. Windows 10 versions 1803 and 1709 have twenty vulnerabilities addressed, and 1703 and 1607 get eighteen and nineteen, respectively. These numbers are far lower than those in September, when Win 10 versions 1809 and 1903 got patches for a whopping sixty-four vulnerabilities.
Only a few of these are rated critical this time (again, in contrast to last month): only two in version 1803, and three in the other versions of Windows 10.
On the server side, Windows Server 2016 and 2019 will see nineteen vulnerabilities patched this month, three of which are critical. Windows Server 2008 R2 gets fourteen fixes, while Server 2012 R2 gets fifteen. In both cases, two of the issues are critical.
Windows 10 and Windows Server 2019
See the following KB articles for information about the issues addressed by the August 13 updates for the various versions of Windows 10:
- Windows 10 version 1709 – KB4462918– contains security fixes for Internet Explorer, Windows Media Player, Microsoft Graphics Component, Windows Shell, Windows Kernel, Windows Datacenter Networking, Windows Storage and Filesystems, Microsoft Scripting Engine, and the Microsoft JET Database Engine .
- Windows 10 version 1803 – KB4462919 – contains security fixes for Internet Explorer 11, Windows Media Player, Microsoft Graphics Component, Windows Peripherals, Windows Shell, Windows Kernel, Windows Datacenter Networking, Windows Storage and Filesystems, Microsoft Edge, Microsoft Scripting Engine, Windows Linux, and the Microsoft JET Database Engine.
- Windows 10 version 1809/Windows Server 2019 — KB4464330 – contains security fixes for the Windows Kernel, Microsoft Graphics Component, Microsoft Scripting Engine, Internet Explorer, Windows Storage and Filesystems, Windows Linux, Windows Wireless Networking, Windows MSXML, the Microsoft JET Database Engine, Windows Peripherals, Microsoft Edge, Windows Media Player, and Internet Explorer, and also addresses an issue that affects group policy expiration whereby an incorrect timing calculation can prematurely remove profiles.
You can find details about each of the patches in the corresponding KB articles linked to each OS version above. Note that some of the cumulative updates also address non-security issues. This article focuses on the security-related fixes.
Older client operating systems
If you’re still using an older supported version of Windows, you’ll still need to be diligent about applying this month’s updates as critical vulnerabilities apply across all versions.
The following security updates apply to previous Windows operating systems:
- Windows 8.1/Server 2012 R2 – KB4462926 (Monthly Rollup) and KB4462941 (Security-only update). These include security updates to Windows Media Player, Microsoft Graphics Component, Windows Datacenter Networking, Windows Storage and Filesystems, Windows Kernel, and Microsoft JET Database Engine and address an issue in which all guest virtual machines running Unicast NLB fail to respond to NLB requests after the virtual machines restart.
- Windows 7 – KB4462923(Monthly Rollup) and KB4462915 (Security-only update). These include security updates to Windows Media Player, Windows Graphics, Microsoft Graphics Component, Windows Storage and Filesystems, Windows Kernel, and the Microsoft JET Database Engine.
You can find details about each of the patches in the corresponding KB articles linked to each OS version above.
Prior Windows Server operating systems
Windows Server 2008 and 2012 received regular monthly and security only updates as follows:
- Window Server 2008 R2 – KB4463097 (Monthly Rollup) and KB4463104 (Security only). Includes security updates to Windows Media Player, Windows Graphics, Microsoft Graphics Component, Windows Storage and Filesystems, Windows Kernel, and the Microsoft JET Database Engine and addresses an issue in which all guest virtual machines running Unicast NLB fail to respond to NLB requests after the virtual machines restart.
- Windows Server 2012 R2 – KB4462926 (Monthly Rollup) and KB4462941 (Security only). Includes security updates to Windows Media Player, Microsoft Graphics Component, Windows Datacenter Networking, Windows Storage and Filesystems, Windows Kernel, and Microsoft JET Database Engine and addresses an issue in which all guest virtual machines running Unicast NLB fail to respond to NLB requests after the virtual machines restart.
Note that updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
Microsoft web browsers
Microsoft Internet Explorer 11 gets patches for two vulnerabilities this time around and both of them are rated critical, while Edge ups that number significantly with a total of nine (six of which are critical, two important, and one of low severity).
The following security updates apply to Microsoft’s web browsers:
KB4462949 — Cumulative security update for Internet ExplorerVulnerabilities in the Edge browser are addressed by Windows 10 operating system updates. This update addresses several reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage in Internet Explorer.
Other Microsoft products and Services
Updates were also released this month for the following software:
· ChakraCore
· Microsoft Office and Microsoft Office Services and Web Apps
· SQL Server Management Studio
· Open Source Software
· Microsoft Dynamics 365
· Windows Update Assistant
There are several known issues with the various updates, so please check out the “Known Issues” in each of the applicable KB articles.
The following are some examples of the critical vulnerabilities addressed by this month’s updates:
CVE-2019-1060 | MS XML Remote Code Execution Vulnerability A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the user’s system.
CVE-2019-1238 | VBScript Remote Code Execution Vulnerability A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
CVE-2019-1307 | Chakra Scripting Engine Memory Corruption Vulnerability A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
CVE-2019-1308 | Chakra Scripting Engine Memory Corruption Vulnerability Another remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
CVE-2019-1333 | Remote Desktop Client Remote Code Execution Vulnerability A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.