Complex September update brings large Windows, browser and development tool patches

Complex September update brings large Windows, browser and development tool patches




Back to school, back to work…and now back to Microsoft updates. I hope that you got some rest this summer, as we are seeing an ever-increasing number and variety of vulnerabilities and corresponding updates covering all Windows platforms (desktop and server), Microsoft Office and a widening array of patches to Microsoft development tools.

This September update cycle brings two zero-days and three publicly reported vulnerabilities in the Windows platform. These two zero-days ( (CVE-2019-2014 and CVE-2019-1215) have credibly reported exploits which could lead to arbitrary code execution on the target machine. Both browser and Windows updates require immediate attention and your development team will need to spend some time with the latest patches to .NET and .NET Core.

The only good news here is that with each later release of Windows, Microsoft does seem to be experiencing fewer major security issues. There is now a good case to keep up with a rapid update cycle and stay with Microsoft on the later versions, with older releases an increasing security (and change control) risk. We have included an enhanced infographic detailing the Microsoft Patch Tuesday “threatscape” for this September, found here.

Known issues

With each update that Microsoft releases, there are generally a few issues that have been raised in testing. For this September release, and specifically Windows 10 1803 (and earlier)  builds, the following issues have been raised:

  • 4516058: Windows 10, version 1803, Windows Server version 1803 – Microsoft states in their latest release notes that, “Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This issue appears to be happening to a large number of clients, and it appears that Microsoft is taking the issue seriously and investigating. Expect an out of bound update on this issue if there is a reported vulnerability paired to this issue.
  • 4516065 : Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup) VBScript in Internet Explorer 11 should be disabled by default after installing KB4507437 (Preview of Monthly Rollup) or KB4511872 (Internet Explorer Cumulative Update) and later. However, in some circumstances, VBScript may not be disabled as intended. This is a follow-up from last month’s (July) Patch Tuesday Security update. I think the key issue here is to ensure that VBScript really is disabled for IE11. Now that Adobe Flash is gone, we can start working to remove VBScript from our systems
  • Windows 10 1903 Release Information : Updates may fail to install, and you may receive Error 0x80073701. Installation of updates may fail, and you may receive the error message, “Updates Failed, there were problems installing some updates, but we’ll try again later” or “Error 0x80073701” on the Windows Update dialog or within Update history. Microsoft has reported that these issues are expected to be resolved in either the next release or possibly at the end of the month.

Major revisions

There were a number of late published revisions to this month’s September Patch Tuesday update cycle including:

  • CVE-2018-15664: Docker Elevation of Privilege Vulnerability. Microsoft has released an updated version of the AKS code which can be now found here.
  • CVE-2018-8269 : OData Library Vulnerability. Microsoft has updated this issue including NET Core 2.1 and 2.1 to the affected products list.
  • CVE-2019-1183: Windows VBScript Engine Remote Code Execution Vulnerability. Microsoft has released information detailing that this vulnerability has been fully mitigated now with other related updates to the VBScript engine. In this rare example, no further action is required, and this change/update is no longer required. You may find that the provided link no longer works, depending on your region.

Browsers

Microsoft is working to address eight critical updates that could lead to a remote code execution scenario. A pattern is emerging with a recurring set of security issues raised against the following browser functionality clusters:

Copyright © 2019 IDG Communications, Inc.






Software

Leave a Reply

Your email address will not be published.