A Troubled Update to Critical Browser Patches for October Patch Tuesday

It was all going so well. We had a few months of updates that both rapidly and readily addressed security issues without many problems. This October Patch Tuesday is an important but troubled patch release from Microsoft. We have a critical, out-of-band browser update (CVE-2019-1367) that has been widely reported as causing a number of deployment issues. Our advice this month is to wait, test and stage your patch deployments. The only good news here, is that we are not all rushing around trying to extinguish another “screaming-hair-on-fire” Adobe issue.

Known Issues

This section addresses the known issues from the previous month’s patch cycle, as well as outstanding issues that may persist with older builds of Windows desktop and server platforms.

Last month’s update appeared to be generally problem free, but it appears that a few reported problems were sufficient for Microsoft to respond with an update to previous patches to resolve the following issues:

• The Keyboard Lockdown Subsystem that may not filter key input correctly.
• An issue that prevents netdom.exe from displaying the new ticket-granting ticket (TGT) delegation bit for the display or query mode.
• The security bulletin CVE-2019-1318 that may cause client or server computers that don’t support Extended Master Secret (EMS) RFC 7627 to have increased connection latency and CPU utilization. This issue occurs while performing full Transport Layer Security (TLS) handshake from devices that don’t support EMS, especially on servers.
• Applications and printer drivers that utilize the Windows JavaScript engine (jscript.dll) for processing print jobs may fail to behave as expected.

And, if you are on Windows 10 builds older than release 1803, then you may also have the following issue with this months’ October update:

• Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform an operation on a CSV owner node from a process that doesn’t have administrator privilege.

Microsoft has published a handy guide to all known issues for this patch release here: Security update deployment information. In another shining endorsement of the success of Windows 10, Release 1903, there are currently no known (reported) issues with any of the current updates. All previous versions of Windows have issues with updates to both Internet Explorer (IE) and Microsoft Edge.

Major Revisions

The following updates were made to existing patches over the past month (patch cycle):

• CVE-2019-1192 – Microsoft Browsers Security Feature Bypass Vulnerability. This update is an attempt by Microsoft to comprehensively address CVE-2019-1192. Microsoft has released October 2019 security updates for Microsoft Edge installed on supported editions of Windows 10; for Internet Explorer 11 installed on all affected versions of Window 10. This is an update to the August Patch Tuesday update cycle. The rating from Microsoft remains as important.
• CVE-2019-1367 – Scripting Engine Memory Corruption Vulnerability. The October security updates Microsoft is releasing on October 8, 2019, address a known printing issue customer might have experienced after installing any of the Security Updates, IE Cumulative Updates, or Monthly Rollups that were released on September 23 or October 3. This is still a critical update.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

• Browsers (Microsoft IE and Edge)
• Microsoft Windows (both desktop and server)
• Microsoft Office (Including Web Apps and Exchange)
• Microsoft Development platforms ( NET Core, .NET Core and Chakra Core)
• Adobe Flash Player

Browsers

Microsoft has released ten updates to both browsers this month, with five rated as critical by Microsoft affecting the Chakra, JavaScript and VBScript engine. If we only had to discuss these patches, then we would have an easy job this month, with a standard schedule for releasing browser patches. However, Microsoft released an out-of-band (OOB) patch to IE in an attempt to resolve a reported vulnerability in the IE script engine (CVE-2019-1367). It’s a proper zero-day issue, with wide reports of exploitation that only require a visit to a specially crafted webpage. It’s a bad one.

This patch is causing problems. We have seen reports of printers not working (Kyocera’s in particular), difficult to troubleshoot line-of-business (LOB) application scenarios and problems with JavaScript scripts (referencing JSCRIPT.DLL). This OOB update caught us all by surprise and I feel at this time that Microsoft could have provided some more documentation in advance. After working with our team, we don’t have a simple prescriptive next step for this update. This does not happen that often. I think that each organization needs to assess the risks of not deploying this update with risks to core applications, and possible (and likely) printing issues. Our advice: test your core applications, test all your printers, and then stage a measured roll-out on a departmental basis.

Windows

Microsoft has released 38 patches to the Windows platform this month, with two rated as critical (CVE-2019-1060, CVE-2019-1333) and a critical servicing stack advisory (ADV990001). Again, we are seeing updates to familiar windows components: Microsoft JET Engine, RDP, HTTP, APPX, GDI and XML Core Services. This month the servicing stack updates include fixes to resolve:

• a problem with the Secure Boot revocation list (DBX) update experience to avoid multiple restarts when you deploy the DBX update on a device where the Credential Guard service is not running.
• an issue in which the Secure Boot revocation list (DBX) is not applied when the Secure Boot allow list (DB) update is empty.

With reported problems with Cortana, printing issues, difficult Jscript troubleshooting scenarios or problems with rebooting, this large complex update will require extensive testing. We suggest that most organizations WAIT for a few more days, find out where the troublespots are, and then test extensively before a general deployment.

Microsoft Office

This month’s update brings several updates to Microsoft SharePoint Server with six updates rated as important for Microsoft Office applications. The most serious vulnerabilities relate to a remote code execution scenario in Microsoft Excel 2016. Both CVE-2019-1327 and CVE-2019-1331 are included in a single update that can be found here. As a word of warning, the SharePoint server updates (addressing an XSS issue) cannot be uninstalled. Make a backup of your server before this update. Add these updates (both desktop and server platforms) to your standard, scheduled update release schedule.

Development Tools (.NET and Chakra Core)

With this update cycle, we are still seeing updates to the Chakra engine, but few patches to core development platforms such as .NET. For October, Microsoft has released a critical update for its Azure App Service (please sanitize your inputs) and two important updates (CVE-2019-1313, CVE-2019-1376) to the SQL Server Management studio (SSMS). I remember a time, when the SSMS was a major management interface and routinely updated. It gets a lot less attention now, and I believe it’s because of the general move to the cloud for many corporate databases. Add the SSMS update to your scheduled update cycle. You don’t have a choice with the Azure platform. Microsoft will handle all these required changes.

In addition to the regular Patch Tuesday security related updates, the Microsoft .NET framework receives regular maintenance updates. For this October, Microsoft has not released any security updates for the .NET platform, but there are bug fixes released for .NET including:

• Windows 10 1903 and Windows Server, version 1903 (4524100)
• .NET Framework 3.5, 4.8 (4515871)
  Windows 10 1809 (October 2018 Update) Windows Server 2019 (4524099)
• .NET Framework 3.5, 4.7.2 (4515855)
• .NET Framework 3.5, 4.8 (4515843)

I think that this is the first time that we have a Microsoft update to an open source project with a patch to the Open Enclave project to address an information disclosure issue (CVE-2019-1369). If you would like to read more about this, you can check out the post from Mark Russinovich on the confidential computing consortium. All these changes will require extensive testing, and so add these patches to your standard development release schedule.

Adobe

Adobe has not released any updates for Windows this month. This is good news and it’s now a few months since we saw any updates for Flash or Reader. If this is a trend, it is very welcome. As you don’t have to update Adobe this month, we suggest that you have a margarita.