Vulnerability Assessment
1
PUBLICLY DISCLOSED
1
EXPLOITED
0
ZERO-DAY
This is a really big update for the Windows platform. And while we don’t have a zero-day vulnerability like September’s Patch Tuesday, there are two vulnerabilities that deserve our attention. The first (CVE-2019-1429) relates to a vulnerability in the Microsoft Script Engine which has been reported as publicly exploited. And the second, (CVE-2019-1457) is a publicly reported exploit in Microsoft Excel.
Threatscape
Windows
PATCH NOW!
VULNERABILITIES
9
CRITICAL
48
IMPORTANT
0
MODERATE
0
LOW
If you are running Windows 10 (preferably later than 1803) then there are significant changes to the Hyper-V platform that will require testing. Schedule this Windows update, with a staggered release schedule for your Windows 10 desktops.
Browsers
PATCH NOW!
VULNERABILITIES
3
CRITICAL
1
IMPORTANT
2
MODERATE
0
LOW
Unfortunately, this month there has been reports of a Microsoft Script engine vulnerabilities exploited in the wild (CVE-2019-1429) that like other related vulnerabilities could lead to arbitrary code execution in the user’s security context. There is even an ActiveX web-based attack for this vulnerability, which we thought was not really “allowed” anymore. Add these Microsoft browser updates to your “Patch Now” release cycle.
Office
SCHEDULE
VULNERABILITIES
1
CRITICAL
9
IMPORTANT
0
MODERATE
0
LOW
Unusually, there has been a publicly reported exploit for Excel (CVE-2019-1457) that though difficult to exploit. This security relies on Excel macros and the vain hope that users will not download and open Excel files sent to them from strangers. As a result of this, please add this month’s Microsoft Office update to your “Patch Now” release cycle.
Dev Tools
SCHEDULE
VULNERABILITIES
0
CRITICAL
2
IMPORTANT
0
MODERATE
0
LOW
Adobe
MARGARITA TIME!
VULNERABILITIES
0
CRITICAL
0
IMPORTANT
0
MODERATE
0
LOW
No Adobe updates for this month. If this continues into January, we will remove this section from our updates going forward. But for now, it’s Margarita time!