You know the deal: October 2019. Pwned by a spreadsheet. Patch your Microsoft stuff
On the bright side, nothing from Adobe to install this month
Patch Tuesday October brings a relatively light patch load for admins and users, thanks to Adobe's decision to sit out this month's update bonanza.
Cloudy patch bundle from Microsoft
For Microsoft, the Patch Tuesday update is a manageable 59 CVE-listed bugs for Windows, Edge, Office, and Azure.
Among the nine critical issues patched this month is CVE-2019-1372, a flaw in Azure that allows end-users running on virtual machines to send and execute code on the host machines.
This is particularly bad because it is, in essence, both an elevation of privilege bug and a remote code execution vulnerability.
"An attacker could use this vulnerability to have an unprivileged function run by a user execute code at the level of System. That provides an attacker a nifty sandbox escape," explained Dustin Childs of the Trend Micro ZDI.
"Microsoft gives this an 'Exploitation Less Likely' Exploit Index rating, but if you use the Azure App Service, don’t depend on that and do apply the patch."
Aside from the Azure flaw, October's update addresses many of the usual security holes in Microsoft's offerings. Seven critical fixes address remote code execution flaws in the Chakra and VBScript tools that can be exploited through a poisoned web page.
The remote desktop client continues to be an area of concern, thanks to CVE-2019-1333. That flaw allows a bad actor to achieve remote code execution by tricking the mark into connecting to a malicious server.
While Microsoft doesn't usually consider Office bugs to be critical, admins should also pay special attention to those flaws, including CVE-2019-1327. An attacker would be able to get remote code execution by tricking the user into opening a poisoned file.
Considering how often users in a business setting will open Excel spreadsheet attachments without a second thought, we would argue this flaw is just as dangerous as any browser-based flaw.
Windows 10 Mobile also got in on the Patch Tuesday fun this month, as the platform was subject to CVE-2019-1314. The security bypass flaw lets users work around the Cortana lock screen to access a device.
"Although Microsoft details the bug, they aren’t fixing it. Instead, they recommend users of Windows 10 Mobile disable Cortana on the lock screen," explained Childs.
"If your organization uses devices with this OS, start rounding them up to make the change."
No Adobe fixes, but Android needs patching
Notably absent this month is Adobe. The media giant has opted not to post any fixes for Flash, Reader, Acrobat, or any of its other offerings. The most recent Adobe release was the September 25 update for ColdFusion.
Meanwhile, there is a late-arriving monthly patch from Google for Android. The mobile platform has received a number of fixes, most notably patches for three remote code execution bugs in the media framework that allow attacks via poisoned files.
Those who have Google-branded devices can get the Android updates directly from the Chocolate Factory, while others will have to wait for their device vendor or carrier to get around to releasing the patch.
Eight patches from SAP
MacOS 'Catalina' 10.15 comes packed with exclusive security fixes – gee, thanks, AppleREAD MORE
SAP, on the other hand, was more than happy to take part in this month's Patch Tuesday. The enterprise software powerhouse released patches for eight CVE-listed flaws.
Among the most serious were CVE-2019-0379, a security bypass bug thanks to a missing authentication check in NetWeaver and CVE-2019-0380, an information Disclosure bug in SAP Landscape Management.
Admins are advised to test and install all of the patches as soon as possible.
While October saw a reduced patch load thanks to the absence of Adobe and Google, those who dragged their feet on the updates for MacOS and Cisco may have those patches to install on top of today's bundle. ®