October Patch Tuesday brought a myriad of updates from a variety of vendors. Here we highlight the critical vulnerabilities released by Microsoft, but also touch on updates from Apple and Google as well. There were no updates from Adobe at the time of this posting. Get Patching!
Today, Microsoft released security updates fixing 59 security vulnerabilities. Nine of these patches have a critical severity level, and the rest are rated as important. None of the vulnerabilities patched this month were publicly disclosed before Patch Tuesday, nor are any known to have been publicly exploited at this time. Regardless, users are advised to install these security updates as soon as possible to protect Windows and Microsoft applications from any of the security flaws these patches fix. Consider patching the most critical vulnerabilities as your top priority.
Here is an overview of some of the critical vulnerabilities patched this month:
The additional security updates released on October 8th target vulnerabilities in Microsoft Windows, Microsoft SharePoint, SQL Server, Jet Database, Internet Explorer, Microsoft IIS Server, and other Windows application and platform concerns. The impact of these vulnerabilities cover a wide range of potential exploits, including elevation of privilege, information disclosure, security feature by-pass, remote code execution, spoofing, tampering, and denial of service attacks.
Full details of the patches can be found here: Microsoft Security Update Guide
Microsoft also sent a reminder that Windows 7 and Windows Server 2008 R2 will be out of extended support and no longer receiving updates as of January 14, 2020. You should update any computers running Windows 7 or Windows Server 2008 R2 so you will continue to receive security updates.
NOTE: Fortinet has IPS signatures available for all of the Microsoft vulnerabilities patched this month.
Apple also released updates to address multiple vulnerabilities in various products, listed below.
Check out the Apple Security Update page for the full list of CVEs addressing these products and solutions.
Google’s October Android security update fixes critical and high-severity vulnerabilities. Patches for CVE-2019-2184, CVE-2019-2185, and CVE-2019-2186 fix critical flaws that exist in Android’s Media framework, and should be addressed as a priority. Read the Android Security Bulletin for more details.
Most malware exploits system vulnerabilities for which a patch already exists. As a result, patching is one of the most critical security procedures an organization can address. Reviewing and prioritizing patches, upgrading or replacing systems no longer supported, or implementing comprehensive proximity control to protect vulnerable systems that cannot be patched are fundamental security best practices that every organization needs to adopt.
In addition, organizations need to ensure that security solutions, such as IPS, anti-virus, anti-malware, and web filtering software are regularly updated as they often contain additional protections against these vulnerabilities and related exploits.
Read about the FortiGuard Security Rating Service, which provides security audits and best practices.