Microsoft today rolling out its October 2019 Patch Tuesday security updates to fix a total of 59 vulnerabilities in Windows operating systems and related software, 9 of which are rated as critical, 49 are important, and one is moderate in severity.
What’s good about this month’s patch update is that after a very long time, none of the security vulnerabilities patched by the tech giant this month is being listed as publicly known or under active attack.
Moreover, there is no roll-up patch for Adobe Flash Player bundled in Windows update for this month.
Besides this, Microsoft has also put up a notice as a reminder for Windows 7 and Windows Server 2008 R2 users, warning them that the extended support for these two operating systems is about to end in the next two months and that they will no longer receive updates as of January 14, 2020.
Two of the critical vulnerabilities patched this month are remote code execution flaws in the VBScript engine, and both exist in the way VBScript handles objects in memory, allowing attackers to corrupt memory and execute arbitrary code in the context of the current user.
These two vulnerabilities, tracked as CVE-2019-1238 and CVE-2019-1239, can be exploited remotely by tricking victims into visiting a specially crafted website through Internet Explorer.
An attacker can also exploit these issues using an application or Microsoft Office document by embedding an ActiveX control marked ‘safe for initialization’ that utilizes Internet Explorer rendering engine.
Just like recent months, Microsoft has patched another reverse RDP attack, where attackers can take control over client computers connecting to a malicious RDP server by exploiting a critical remote code execution vulnerability in Windows built-in Remote Desktop Client application.
Unlike the wormable BlueKeep vulnerability, the newly-patched RDP vulnerability is client-side, which requires an attacker to trick victims into connecting to a malicious RDP server via social engineering, DNS poisoning, or using a Man in the Middle (MITM) technique.
Three critical RCE vulnerabilities are memory corruption flaws resides in the way Chakra scripting engine handles objects in memory in Microsoft Edge, whereas one critical RCE flaw is an elevation of privilege issue which exists when Azure App Service on Azure Stack fails to check the length of a buffer before copying memory to it.
Other vulnerabilities patched by Microsoft this month and marked as important reside in the following Microsoft products and services:
- Microsoft Windows
- Internet Explorer
- Microsoft Edge
- Microsoft Office, Office Services and Web Apps
- SQL Server Management Studio
- Open Source Software
- Microsoft Dynamics 365
- Windows Update Assistant
Most of these vulnerabilities allow elevation of privilege, and some also lead to remote code execution attacks, while others allow information disclosure, cross-site scripting (XSS), security feature bypass, spoofing, tampering, and denial of service attacks.
Windows users and system administrators are highly advised to apply the latest security patches as soon as possible in an attempt to keep cybercriminals and hackers away from taking control of their computers.
For installing the latest Windows security updates, you can head on to Settings → Update & Security → Windows Update → Check for updates on your PC, or you can install the updates manually.
- Microsoft Patch Tuesday — February 2019 Update Fixes 77 Flaws
- Microsoft Patch Tuesday — January 2019 Security Updates Released
- 4 New BlueKeep-like ‘Wormable’ Windows Remote Desktop Flaws Discovered
- Microsoft Releases April 2019 Security Updates — Two Flaws Under Active Attack
- Microsoft Releases Patches for 64 Flaws — Two Under Active Attack