First of all, this is a really big update for the Windows platform. And while we don’t have a zero-day vulnerability like September’s Patch Tuesday, there are two vulnerabilities that deserve our attention. The first (CVE-2019-1429) relates to a vulnerability in the Microsoft Script Engine which has been reported as publicly exploited. And the second, (CVE-2019-1457) is a publicly reported exploit in Microsoft Excel. We also think that the critical update to Exchange Server (CVE-2019-1373) will require immediate attention.
Though we are getting some pretty urgent patching requirements for older builds (especially Windows 7), Microsoft appears to have learnt from past lessons, as most later builds are largely immune to these attacks. This has two real benefits. First, having more secure systems is generally a good thing. Second, the IT department doesn’t have to rush out urgent fixes and can take the time to properly test and stage their desktop and server platform changes.
Microsoft has documented a few known issues for this November Patch Tuesday, which we have broken down into two sections including:
Office update issues:
- 4484113: After installing this update, you may see a “File failed to upload” error when saving files to a network location. To fix this issue, install KB 3085368
- 4523171: Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to their usual state.
Windows 10 and Server 2019:
- 4523205: There are a number of issues relating to Input Method Editors (IME) and Asian language packages for the Server installation process. For more information on these issues please refer to KB4026923.
Also, we are still seeing reports of the following error message: “Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. Microsoft has been working on this issue for four months now, and there is no fix expected soon.
No major Microsoft update revisions (at the time of writing) have been published.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge)
- Microsoft Windows (both desktop and server)
- Microsoft Office (Including Web Apps and Exchange)
- Microsoft Development platforms (.NET Core, .NET Core and Chakra Core)
- Adobe Flash Player
The core Microsoft Scripting Engine (including VBScript) appears to be the concern this month, with the three critical rated patches (CVE-2019-1429, CVE-2019-1390 and CVE-2019-1427) and three other patches rates as important. For the past few years, we have seen too many patches to both Scripting engines – most leading to relatively exploitable remote code execution scenarios. Unfortunately, this month there has been reports of a Microsoft Script engine vulnerability exploited in the wild (CVE-2019-1429) and that like the other related vulnerabilities could lead to arbitrary code execution in the user’s security context. There is even an ActiveX web-based attack for this vulnerability , which I thought was not really “allowed” anymore. Add these Microsoft browser updates to your “Patch Now” release cycle.
Make no mistake, this is a big update for the Microsoft Windows platform, with 57 patches, six rated as critical. The six critical patches could lead to a remote code execution scenario, with Microsoft’s Hyper-V virtualization platform receiving the most attention this month. Given our experience with these types of updates in the past, we believe that the Windows font library patch (CVE-2019-1441) could be a likely candidate for potential application compatibility issues. If you are running Windows 7, this is a Patch Now update. If you are running Windows 10 (preferably later than 1803) then there are significant changes to the Hyper-V platform that will require testing. Schedule this Windows update, with a staggered release schedule for your Windows 10 desktops.
This is an unusual month for Microsoft Office updates. As usual, Microsoft has released (this month – nine) updates for Office that affect Exchange Server, Excel and Office Online. As usual, there are a number of Spoofing (CVE-2019-1445 and CVE-2019-1447) and Security Feature Bypass vulnerabilities (CVE-2019-1442 and CVE-2019-1449) addressed in the monthly security roll-up. Unusually, there has been a publicly reported exploit for Excel (CVE-2019-1457) that though difficult to exploit, an attacker can still rely on non-secure Excel macros and the fact that users will still download and open Excel files sent to them from strangers. As a result of this, please add this month’s Microsoft Office update to your “Patch Now” release cycle.
This is a relatively quiet month for Microsoft developer tools updates with just two patches (CVE-2019-1370 and CVE-2019-1425), both rated as important by Microsoft. Affecting the open source Open Enclave SDK toolkit and Visual Studio, these two vulnerabilities may lead to an elevation of privilege security issue. Fortunately, the Visual Studio vulnerability has already been separately addressed by two NPM advisories: Arbitrary File Overwrite and the fstream version. Add this update to your regular developer update schedule.
No Adobe updates for this month. If this continues into January, we will remove this section from our updates going forwards. But for now, it’s Margarita time!