Microsoft Delivers ‘Mild’ September Safety Patch Bundle
Microsoft on Tuesday launched September security patches for Home windows and functions, addressing 85 vulnerabilities.
Patches had been launched for supported Home windows working methods, Microsoft’s Web Explorer and EdgeHTML-based browsers, the Adobe Flash Participant and far more. Microsoft provides a partial checklist of the software program getting patches this month in these Release Notes.
Servicing Stack Updates
One peculiar element to notice is that Microsoft launched Servicing Stack Updates (SSUs) for all supported Home windows methods this month. Organizations usually want to put in these SSUs to get future updates from Microsoft.
The discharge of SSUs for all Home windows methods this month was “a bit out of the bizarre,” in response to Chris Goettl, director of product supervisor for safety at Ivanti, in an e-mail. He famous that SSUs are usually rated Important, however they do not really resolve safety points. He supplied the following recommendation on testing these SSUs:
The shortest we now have seen from availability to enforcement is 2 months. Our steering is to start testing [these SSUs] as quickly as potential and plan to have these in place earlier than November to be on the protected aspect. Earlier than October can be greatest case on the off probability Microsoft enforces these adjustments sooner.
Ivanti will host a public September patch Tuesday dialogue session on September 11, with sign-up accessible here.
Total, the September bundle of patches handle 85 vulnerabilities, with 19 rated “Important,” 65 deemed “Essential” and one labeled “Average,” in response to a blog post by Jon Munshaw of Cisco’s Talos safety group.
Patch Tuesday counts are inclined to range every month, relying the safety group that counts them. Goettl, who tallied simply “79 distinctive CVEs this month,” described Microsoft’s September patch bundle as “a comparatively gentle set of updates.”
Two of the Home windows vulnerabilities getting patches this month (CVE-2019-1214 and CVE-2019-1215) had been beforehand exploited. Two others (CVE-2019-1235 and CVE-2019-1294) had been publicly disclosed. These circumstances are good causes to prioritize the patching, though all 4 of these vulnerabilities had been simply rated Essential, as famous by Justin Childs of Development Micro’s Zero Day Initiative, in a blog post.
Childs added that the Essential Home windows patch, CVE-2019-1215, addresses a low-level Home windows service referred to as the Winsock2 Built-in File System Layer, which has been “focused by malware within the previous.” It is at the moment beneath assault but once more, and will allow an attacker to “go from Consumer stage to Administrator stage entry.”
There’s additionally an Essential patch (CVE-2019-1289) that is notable for addressing a vulnerability within the Home windows Replace Supply Optimization characteristic. The flaw was present in a part that is used to cut back community bandwidth calls for in the course of the replace course of, in response to Childs.
SharePoint is getting a Important patch (CVE-2019-1257) this month to deal with a distant code execution vulnerability. It is considered one of three SharePoint bugs that had been found by the Zero Day Initiative, Childs indicated.
RDP Flaws and BlueKeep
There are 4 Important patches for Home windows Distant Desktop Protocol (RDP) this month, specifically CVE-2019-1291, CVE-2019-1290, CVE-2019-0788 and CVE-2019-0787, in response to the Cisco Talos group. Nonetheless, these 4 vulnerabilities aren’t at the identical stage because the so-called “BlueKeep” flaw (CVE-2019-0708) Microsoft issued patches for again in Might, plus later-patched RDP flaws which can be being dubbed “DejaBlue.”