[SingCERT] Microsoft October 2019 Patch Tuesday

Published on Wednesday, 09 October 2019 11:52

Background

Microsoft has announced the release of 60 security patches to address vulnerabilities affecting its Operating System (OS) and other related products.

The following vulnerabilities were rated critical and require immediate attention:

CVE-2019-1372 - This vulnerability exists when Azure App Service/ Antares on Azure Stack fails to check the length of a buffer prior to copying memory to it. Successful exploitation of this vulnerability could allow an unprivileged function run by the user to execute code in the context of NT AUTHORITY\system thereby escaping the Sandbox.

CVE-2019-1366, CVE-2019-1307, CVE-2019-1308 - These vulnerabilities exist in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, successful exploitation of this vulnerability could allow the attack to gain the same user rights as the current user and take control of the affected system.

CVE-2019-1060 - This vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. Successful exploitation of this vulnerability could allow attacker to run malicious code remotely and take control of the user’s system.

CVE-2019-1238, CVE-2019-1239 - These vulnerabilities exist in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, successful exploitation of this vulnerability could allow the attack to gain the same user rights as the current user and take control of the affected system.

CVE-2019-1333 - This vulnerability exists when Windows Remote Desktop Client connects to a malicious server. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the computer of the connecting client.

ADV990001 - This is a list of the latest servicing stack updates for each operating system. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV990001

For the full list of security patches released by Microsoft, please visit https://portal.msrc.microsoft.com/en-us/security-guidance.

Affected Products

Microsoft’s release contains updates for the following:

Microsoft Windows
Internet Explorer
Microsoft Edge
ChakraCore
Microsoft Office and Microsoft Office Services and Web Apps
SQL Server Management Studio
Open Source Software
Microsoft Dynamics 365
Windows Update Assistant

Impact

Successful exploitation of these critical vulnerabilities could allow attackers to perform remote code execution and take control of the affected systems to perform malicious activities, including unauthorised installation of programs, creating rogue administrator accounts and ability to view, change, or delete data.

Recommendation

Users and system administrators of affected products are strongly encouraged to apply the security updates immediately.

References

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/28ef0a64-489c-e911-a994-000d3a33c573
https://www.bleepingcomputer.com/news/microsoft/microsofts-october-2019-patch-tuesday-fixes-59-vulnerabilities/