Virtual Administrator’s October 2019 Patch Recommendations

This month Microsoft released patches for 59 vulnerabilities with 9 rated “Critical”, 49 as “Important” and 1 as “Moderate” in severity.

All October patches have been approved in our patch policy.

October’s Patch Tuesday releases were uneventful and for the most part problem free.  The real “action’ this month was the zero-day released on September 23 and the mess Microsoft created with its response – see Zero-Day Issues below.  That zero-day (CVE-2019-1367) patch is included in this month’s Cumulative Update/Monthly Rollup.  There are reports of Search and Start menu issues with KB4517389 for Windows 10 v1903 – see Known Issues below.

No Adobe Flash Player patch this month and no new Security Advisories

 

Zero-Day Issues

On September 23rd Microsoft released a manual install zero-day patch for CVE-2019-1367 a Scripting Engine Memory Corruption Vulnerability in IE.  Over the next few days they released a version included in Windows Updates that would be installed automatically. Those patches caused problems with the printer spooler service. In response the Microsoft released a new patch on October 3rd but that patch seemed to make the printing issues worse. The Cumulative Updates release on Patch Tuesday appears to have corrected the printing issues.

 

Heads Up! [ADV990001] – New Servicing Stack Updates (SSU) for most operating systems. Up to date SSUs are critical. Many do not show up in the regular Windows Updater scans and should be installed in the background automatically.  ClubMSP offers scripts to audit the current SSU version as well as installation scripts. It is recommended that all partners run the “MS Stack Audit” to determine if their machines are current. “MS Stack Audit AIO” can be used to install the newest SSU if necessary.

Disclosed: None

Exploited: CVE-2019-1367

 

Security Update Guide

https://portal.msrc.microsoft.com/en-us/security-guidance

 

Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com

 

Affected software include:

  • Microsoft Windows
  • Internet Explorer
  • Microsoft Edge
  • ChakraCore
  • Microsoft Office, Office Services and Web Apps
  • SQL Server Management Studio
  • Open Source Software
  • Microsoft Dynamics 365
  • Windows Update Assistant

 

Microsoft Security Advisories

 

ADV990001 | Latest Servicing Stack Updates (Published: 11/13/2018|Last Updated: 10/09/2019)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001

Reason for Revision: A Servicing Stack Update has been released for all supported versions of Windows.

 

Known Issues

Microsoft is not officially reporting any new known issues this month.  However, there are reports of problems with KB4517389 for Windows 10 v1903

 

Search and Start menu issues

KB4517389 for Windows 10 v1903 Some users have reported on Microsoft community forum and Reddit that Windows 10 KB4517389 breaks the Start menu with a critical error. Microsoft says this is not a widespread issue and is investigating the reports. Uninstalling KB4517389 should fix the issue.

 

Start Menu showing Critical Error after installing KB4517389 update

https://answers.microsoft.com/en-us/windows/forum/all/kb-4517389-causes-critical-error-when-using-start/ae473b3c-ae57-4e1a-8c55-c727cd16fabd

 

Windows 10 version 1903 Known issues and notifications 

https://docs.microsoft.com/en-us/windows/release-information/status-windows-10-1903#688msgdesc

 

Good resource for known issues with Windows 10 patches. Click on the version in the left column for the status of known issues.

Windows 10 release information

https://docs.microsoft.com/en-us/windows/release-information/

 

 

Monthly Rollup/Security Only/Windows 10/Server 2016,2019 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

 

Security and Quality Rollup

  • KB4519976 – Windows 7, Windows Server 2008 R2
  • KB4520005 – Windows 8.1, Windows Server 2012 R2
  • KB4520007 – Windows Server 2012
  • KB4520002 – Windows Server 2008

 

Security Only Update

  • KB4520003 – Windows 7, Windows Server 2008 R2
  • KB4519990 – Windows 8.1, Windows Server 2012 R2
  • KB4519985 – Windows Server 2012
  • KB4520009 – Windows Server 2008

 

Cumulative Update for Windows 10

  • KB4520011 – Original release version 1507 (OS Build 10240)
  • None – Version 1511 (OS Build 10586)
  • KB4519998 – Version 1607 “Anniversary Update” (OS Build 14393)
  • KB4520010 – Version 1703 “Creators Update” (OS Build 15063)
  • KB4520004 – Version 1709 “Fall Creators Update” (OS Build 16299)
  • KB4520008 – Version 1803 “Spring Creators Update” (OS Build 17134)
  • KB4519338 – Version 1809 “October 2018 Update” (OS Build 17763)
  • KB4517389 – Version 1903 “May 2019 Update” (OS Build 18362)

Note: Server 2016 uses the same KB as Windows 10 Version 1607. Server 2019 uses the same KB as Windows 10 Version 1809.

 

KB4524135 – Cumulative Security Update for Internet Explorer 9/10/11

This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.

 

None – Security Update for Adobe Flash Player

 

October 2019 updates for Microsoft Office

https://support.microsoft.com/en-us/help/4522242/october-2019-updates-for-microsoft-office

 

 

Notable CVEs

 

CVE-2019-1060 | MS XML Remote Code Execution Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1060

A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the user’s system.

To exploit the vulnerability, an attacker could host a specially crafted website designed to invoke MSXML through a web browser. However, an attacker would have no way to force a user to visit such a website. Instead, an attacker would typically have to convince a user to either click a link in an email message or instant message that would then take the user to the website. When Internet Explorer parses the XML content, an attacker could run malicious code remotely to take control of the user’s system.

The update addresses the vulnerability by correcting how the MSXML parser processes user input.

 

CVE-2019-1255 | Microsoft Defender Denial of Service Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1255

A denial of service vulnerability exists when Microsoft Defender improperly handles files. An attacker could exploit the vulnerability to prevent legitimate accounts from executing legitimate system binaries.

To exploit the vulnerability, an attacker would first require execution on the victim system.

The security update addresses the vulnerability by ensuring Microsoft Defender properly handles files.

 

CVE-2019-1315 | Windows Error Reporting Manager Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1315

An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

The security update addresses the vulnerability by correcting how Windows Error Reporting manager handles hard links.

 

CVE-2019-1333 | Remote Desktop Client Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1333

A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to have control of a server and then convince a user to connect to it. An attacker would have no way of forcing a user to connect to the malicious server, they would need to trick the user into connecting via social engineering, DNS poisoning or using a Man in the Middle (MITM) technique. An attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect.

The update addresses the vulnerability by correcting how the Windows Remote Desktop Client handles connection requests.

 

CVE-2019-1367 | Scripting Engine Memory Corruption Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1367

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.

The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.

 

CVE-2019-1372 | Azure Stack Remote Code Execution Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1372

A remote code execution vulnerability exists when Azure Stack fails to check the length of a buffer prior to copying memory to it.

An attacker who successfully exploited this vulnerability could allow an unprivileged function run by the user to execute code in the context of NT AUTHORITY\system thereby escaping the Sandbox.

The security update addresses the vulnerability by ensuring that Azure Stack sanitizes user inputs.