September update brings large Windows, browser and development tool patches

Back to high school, back to work…and currently back to Microsoft updates. I hope that you just got some rest this summer, as we tend to ar seeing AN ever-increasing range and type of vulnerabilities and corresponding updates covering all Windows platforms (desktop and server), Microsoft workplace and a widening array of patches to Microsoft development tools.

 

This Gregorian calendar month update cycle brings two zero-days and three in public rumored vulnerabilities within the Windows platform. These 2 zero-days ( (CVE-2019-2014 and CVE-2019-1215) have probably rumored exploits that could lead on to arbitrary code execution on the target machine. each browser and Windows updates need immediate attention and your development team can ought to pay your time with the most recent patches to .NET and .NET Core.

The only excellent news here is that with every later unharness of Windows, Microsoft will appear to be experiencing fewer major security problems. there’s currently a decent case to stay up with a speedy update cycle and stick with Microsoft on the later versions, with older releases AN increasing security (and modification control) risk. we’ve enclosed AN increased infographic particularisation the Microsoft Patch Tuesday “threatscape” for this Gregorian calendar month, found here.

With every update that Microsoft releases, there ar usually a couple of problems that are raised in testing. For this Gregorian calendar month unharness, and specifically Windows ten 1803 (and earlier) builds, the subsequent problems are raised:

4516058: Windows ten, version 1803, Windows Server version 1803 – Microsoft states in their latest unharness notes that, “Certain operations, like rename, that you just perform on files or folders that ar on a Cluster Shared Volume (CSV) could fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This issue seems to be happening to an outsized range of shoppers, and it seems that Microsoft is taking the problem seriously and work. Expect AN out of certain update on this issue if there’s a rumored vulnerability paired to the present issue.
4516065 : Windows seven Service Pack one, Windows Server 2008 R2 Service Pack one (Monthly Rollup) VBScript in web person eleven ought to be disabled by default when putting in KB4507437 (Preview of Monthly Rollup) or KB4511872 (Internet person additive Update) and later. However, in some circumstances, VBScript might not be disabled as supposed. this can be a follow-up from last month’s (July) Patch Tuesday Security update. i believe the key issue here is to make sure that VBScript very is disabled for IE11. currently that Adobe Flash is gone, we are able to begin operating to get rid of VBScript from our systems
Windows ten 1903 unharness data : Updates could fail to put in, and you will receive Error 0x80073701. Installation of updates could fail, and you will receive the error message, “Updates failing, there have been issues putting in some updates, however we’ll attempt once more later” or “Error 0x80073701” on the Windows Update dialog or inside Update history. Microsoft has rumored that these problems ar expected to be resolved in either consequent unharness or presumably at the top of the month.
Major revisions
There were variety currently printed revisions to the present month’s Gregorian calendar month Patch Tuesday update cycle including:

CVE-2018-15664: loader Elevation of Privilege Vulnerability. Microsoft has discharged AN updated version of the AKS code which may be currently found here.
CVE-2018-8269 : OData Library Vulnerability. Microsoft has updated this issue as well as internet Core a pair of.1 and 2.1 to the affected merchandise list.
CVE-2019-1183: Windows VBScript Engine Remote Code Execution Vulnerability. Microsoft has discharged data particularisation that this vulnerability has been absolutely satisfied currently with alternative connected updates to the VBScript engine. during this rare example, no additional action is needed, and this change/update is not any longer needed. you will notice that the provided link now not works, betting on your region.
Browsers
Microsoft is functioning to deal with eight essential updates that might cause a foreign code execution state of affairs. A pattern is rising with a continual set of security problems raised against the subsequent browser practicality clusters:

Chakra Scripting Engine
VBScript
Microsoft Scripting Engine
All of those problems have an effect on the foremost recent versions of Windows ten (both 32-bit and 64-bit) and apply to each Edge and web person (IE). The VBScript problems (CVE-2019-1208) ANd CVE-2019-1236) ar significantly nasty as a visit to an internet site could cause the unintended install of a malicious ActiveX management that then effectively cedes management to an offender. we propose that each one enterprise customers:

[ Prepare to become a licensed data Security Systems skilled with this comprehensive on-line course from PluralSight. currently providing a 10-day free trial! ]
Disable ActiveX Controls for each browsers
Disable VBScript for each browsers
Remove Flash from Edge
Given these issues, please add this browser update to your “Patch Now” schedule.

Windows

Microsoft has tried to deal with 5 essential vulnerabilities and an extra forty four security problems that are rated as necessary by Microsoft. The “elephant within the room” is that the 2 zero-day in public exploited vulnerabilities:

CVE-2019-1215: this can be a foreign execution vulnerability within the core Winsock networking part (ws2ifsl.sys) that might cause AN offender running arbitrary code, once domestically echt.
CVE-2019-1214: this can be ANother essential vulnerability Windows Common Log filing system (CLFS) that threatens older system with an arbitrary code execution upon native authentication.
Regardless of what else is going on with Windows updates this month, these 2 problems ar pretty serious and can need immediate attention. additionally to the 2 Gregorian calendar month zero-days, Microsoft has discharged variety of alternative updates including:

4515384: Windows ten, version 1903, Windows Server version 1903 – This bulletin refers to 5 vulnerabilities about Micro-architectural information Sampling wherever the micro-processor makes an attempt to guess what directions could come back next. Microsoft recommends disabling Hyper-Threading. Please see the Microsoft knowledge domain Article 4073757 for steerage on protective Windows platforms. to deal with the subsequent vulnerabilities in, you will want a computer code upgrade:
CVE-2018-12126 – Microarchitectural Store Buffer information Sampling (MSBDS)
CVE-2018-12130 – Microarchitectural Fill Buffer information Sampling (MFBDS)
CVE-2018-12127 – Microarchitectural Load Port information Sampling (MLPDS)
CVE-2019-11091 – Microarchitectural information Sampling Uncacheable Memory (MDSUM)
Windows Update Improvements: Microsoft has discharged AN update on to the Windows Update shopper to enhance responsibility. Any device running Windows ten designed to receive updates mechanically from Windows Update, as well as Enterprise and professional editions.
CVE-2019-1267: Microsoft Compatibility Appraiser Elevation of Privilege Vulnerability. this can be AN update to the Microsoft compatibility engine. this could begin to boost additional and additional disputable problems for enterprise customers terribly presently. I wished to possess a touch “dig” here at Microsoft as their application compatibility assessment tool was breaking applications. I selected to not.
As mentioned antecedently, this can be an enormous update, with credible reports of in public exploited vulnerabilities on the Windows platform. Add this update to your “Patch Now” unharness schedule.

Microsoft workplace

This month Microsoft addresses 3 essential and eight necessary vulnerabilities within the Microsoft workplace productivity suite covering the subsequent areas:

Lync 2013 data revelation Vulnerability
Microsoft SharePoint Remote Code/Spoofing/XSS Vulnerability
Microsoft surpass Remote Code Execution Vulnerability
Jet information Engine Remote Code Execution Vulnerability
Microsoft surpass data revelation Vulnerability
Microsoft workplace Security Feature Bypass Vulnerability
Lync 2013 might not be your high priority this month, however the JET and SharePoint problems ar serious and can need a response. The Microsoft JET information problems ar the explanation for most concern, even if Microsoft has rated them necessary, as they’re key dependencies across a broad platform. Microsoft JET has continuously been troublesome to right and currently it looks to be inflicting security problems monthly for the past year. It’s time to maneuver far from JET… similar to everybody has rapt from Flash and ActiveX, right?

Add this update to your normal patch schedule, and make certain that each one of your gift information applications are tested before a full roll-out.

Development tools

This section gets a touch larger with every Patch Tuesday. Microsoft is addressing six essential updates and an extra six updates rated as necessary covering the subsequent development areas:

Chakra Scripting Engine
Rome SDK (in case you didn’t recognize, its Microsoft’s in-house Graph tool)
Diagnostics Hub normal Collector Service
.NET Framework. Core and internet Core
Azure DevOps and Team Foundation Server
Critical updates to Chakra Core and Microsoft Team Foundation server would force immediate attention whereas the remaining patches ought to be enclosed within the developer update unharness schedule. With coming major releases to .NET Core this November, we’ll still see giant updates during this space. As always, we propose some thorough testing and a staged unharness cadence for your development updates.

Adobe
Adobe is back on kind with a essential update enclosed during this month’s regular patch cycle. Adobe’s update (APSB19-46) addresses 2 memory connected problems that could lead on to arbitrary code execution on the target platform. each security problems (CVE-2019-8070 and CVE-2019-8069) have a combined base CVSS score of eight.2,and so we propose that you just add this essential update to your Patch Tuesday unharness schedule.

Leave a Reply