Threat Research

Patch Tuesday Update – October 8, 2019

By Jeannette Jarvis | October 08, 2019

October Patch Tuesday brought a myriad of updates from a variety of vendors. Here we highlight the critical vulnerabilities released by Microsoft, but also touch on updates from Apple and Google as well. There were no updates from Adobe at the time of this posting. Get Patching!   

Patch Overview

Microsoft

Today, Microsoft released security updates fixing 59 security vulnerabilities. Nine of these patches have a critical severity level, and the rest are rated as important. None of the vulnerabilities patched this month were publicly disclosed before Patch Tuesday, nor are any known to have been publicly exploited at this time. Regardless, users are advised to install these security updates as soon as possible to protect Windows and Microsoft applications from any of the security flaws these patches fix. Consider patching the most critical vulnerabilities as your top priority.

Here is an overview of some of the critical vulnerabilities patched this month:

  • CVE-2019-1333 is a critical vulnerability that addresses an out of bound write issue identified in the Windows RDP client. This vulnerability can be used to achieve remote code execution on connected RDP clients.
  • CVE-2019-1307, CVE-2019-1308, CVE-2019-1355, and CVE-2019-1366 fix type confusion critical vulnerabilities identified in Microsoft Edge. A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. These vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. 
  • CVE-2019-1372 patches an elevation of privilege vulnerability on Azure Stack when the Azure App Service fails to properly check the length of a buffer prior to copying memory to it.
  • CVE-2019-1060 is a critical update affecting an MS XML Remote Code Execution vulnerability.
  • CVE-2019-1238 and CVE-2019-1239 patch critical VBScript Remote Code Execution vulnerabilities that could be used in malicious Office documents, or on specially crafted web sites. 

The additional security updates released on October 8th target vulnerabilities in Microsoft Windows, Microsoft SharePoint, SQL Server, Jet Database, Internet Explorer, Microsoft IIS Server, and other Windows application and platform concerns. The impact of these vulnerabilities cover a wide range of potential exploits, including elevation of privilege, information disclosure, security feature by-pass, remote code execution, spoofing, tampering, and denial of service attacks. 

Full details of the patches can be found here: Microsoft Security Update Guide

Microsoft also sent a reminder that  Windows 7 and Windows Server 2008 R2 will be out of extended support and no longer receiving updates as of January 14, 2020. You should update any computers running Windows 7 or Windows Server 2008 R2 so you will continue to receive security updates.

NOTE: Fortinet has IPS signatures available for all of the Microsoft vulnerabilities patched this month.

Apple

Apple also released updates to address multiple vulnerabilities in various products, listed below.

Check out the Apple Security Update page for the full list of CVEs addressing these products and solutions.

Android

Google’s October Android security update fixes critical and high-severity vulnerabilities. Patches for CVE-2019-2184, CVE-2019-2185, and CVE-2019-2186 fix critical flaws that exist in Android’s Media framework, and should be addressed as a priority. Read the Android Security Bulletin for more details.

Patching is Fundamental

Most malware exploits system vulnerabilities for which a patch already exists. As a result, patching is one of the most critical security procedures an organization can address. Reviewing and prioritizing patches, upgrading or replacing systems no longer supported, or implementing comprehensive proximity control to protect vulnerable systems that cannot be patched are fundamental security best practices that every organization needs to adopt.

In addition, organizations need to ensure that security solutions, such as IPS, anti-virus, anti-malware, and web filtering software are regularly updated as they often contain additional protections against these vulnerabilities and related exploits.

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolioSign up for our weekly FortiGuard Threat Brief.

Read about the FortiGuard Security Rating Service, which provides security audits and best practices.