Patch Impact Assessment December 2019

Vulnerability Assessment

1

PUBLICLY DISCLOSED

0

EXPLOITED

0

ZERO-DAY

December brings peace and joy – or at least Microsoft has provided a relatively easy Patch Tuesday update. There is an urgent update to Microsoft Internet Explorer 11 and three critical updates to the Windows platform that will require some attention this month. In addition, we have cumulative updates for the .NET and SQL server platforms that will require some testing before general deployment. That said, I think that 2020 will bring many interesting Patch Tuesdays with Microsoft’s new “staged” feature releases already included Windows 10 1909.

Threatscape

Windows

PATCH NOW!

VULNERABILITIES

3
CRITICAL

18
IMPORTANT

0
MODERATE

0
LOW

Microsoft has addressed a total of 21 vulnerabilities on the Windows platform for this December Patch Tuesday with three rated as critical (CVE-2019-1471, CVE-2019-1468  and ADV990001) and the remaining 18 rated as important.

I suggest that some testing (and waiting) may be advised before a general roll-out of these Windows updates.

Browsers

SCHEDULE

VULNERABILITIES

0
CRITICAL

0
IMPORTANT

0
MODERATE

1
LOW

Microsoft has released a single critical update for Internet Explorer 11 that really does require urgent attention due to its link to ActiveX and its potential exploitability. Add this update to your “Patch Now” schedule, if you are still using IE11.

Office

SCHEDULE

VULNERABILITIES

0
CRITICAL

6
IMPORTANT

0
MODERATE

0
LOW

December has not been so kind to the Microsoft Office suite, with 6 reported vulnerabilities, all rated as important by Microsoft. There is a remote code execution scenario for Microsoft PowerPoint (CVE-2019-1462) that may need some urgent attention but the other updates should be included in your standard update release schedule.

Dev Tools

SCHEDULE

VULNERABILITIES

5
CRITICAL

1
IMPORTANT

1
MODERATE

0
LOW

We have not seen any other updates to the Visual Studio platform or more importantly to Azure for this month. All versions of the Microsoft .Net development platform will receive a cumulative update package  (KB4533002).

Adobe

MARGARITA TIME!

VULNERABILITIES

0
CRITICAL

0
IMPORTANT

0
MODERATE

0
LOW

No Adobe updates for this month. If this continues into January, we will remove this section from our updates going forward. But for now, it’s Margarita time!

Leave a Comment

Your email address will not be published. Required fields are marked *

Understanding the Threatscape Report

The Readiness “Threatscape” report summarizes your risk of not applying this month’s patches, using all publicly-available vulnerability data.

It’s important to note that it’s equally important to know the risk to your applications if you DO apply this month’s patches. This is of course is dependent on:

  • The current state (version and build) of each platform (Windows, Office, Browser, etc.).
  • Which applications are part of your portfolio.

Luckily, determining the risk of applying patches is easy (and fast and dynamic, thanks to our Dynamic Platform Assessment tool.

To understand what will happen when you apply this month’s patches, contact us and assess your first 25 applications for free.

For each major platform, the pie chart shows the breakdown of vulnerabilities rated critical, important, moderate and low. These match the tables below the graph.

The size of the pie represents the total number of vulnerabilities. The larger the pie, the more vulnerabilities present.

The position of the pie on the vertical axis represents the relative risk to your application portfolio. The higher the position, the higher the exploitability.

Related Posts

Patch Tuesday

A Fat Windows Update for September’s Patch Tuesday

Microsoft released 129 updates to its Windows ecosystem this month. The good news: we are not dealing with any zero-days or publicly reported vulnerabilities.

Read More
Assurance Dashboard

Assurance Security Dashboard September 2020

Here is our Assurance Security dashboard that shows the risk associated with this month’s Patch Tuesday updates.

Read More
Patch Tuesday

A zero-day and testing of key printing features will drive August Windows updates

Though a DNS-spoofing vulnerability in Windows has been rated as a zero-day, the focus for this month’s updates should be on testing key Windows features prior to deployment.

Read More