Patch Impact Assessment September 2019

Vulnerability Assessment

3

PUBLICLY DISCLOSED

2

EXPLOITED

2

ZERO-DAY

This September update cycle brings two zero-days and three publicly reported vulnerabilities in the Windows platform. These two zero-days (CVE-2019-2014 and CVE-2019-1215) have credibly reported exploits which could lead to arbitrary code execution on the target machine. Both browser and Windows updates require immediate attention and your development team will need to spend some time with the latest patches to .NET and .NET Core.

Windows

Microsoft has attempted to address five critical vulnerabilities and a further 44 security issues that have been rated as important by Microsoft. The “elephant in the room” is the two zero-day publicly exploited vulnerabilities.

As mentioned previously, this is a big update, with credible reports of publicly exploited vulnerabilities on the Windows platform. Add this update to your “Patch Now” release schedule.

VULNERABILITIES

0
LOW

1
MODERATE

44
IMPORTANT

5
CRITICAL

PATCH NOW!

Browsers

Microsoft is working to address eight critical updates that could lead to a remote code execution scenario. A pattern is emerging with a recurring set of security issues raised against Chakra Scripting Engine, VBScript and Microsoft Scripting Engine.

All of these issues affect the most recent versions of Windows 10 (both 32-bit and 64-bit) and apply to both Edge and Internet Explorer (IE). The VBScript issues (CVE-2019-1208) and CVE-2019-1236) are particularly nasty as a visit to a website may lead to the inadvertent install of a malicious ActiveX control which then effectively cedes control to an attacker.

VULNERABILITIES

1
LOW

8
MODERATE

2
IMPORTANT

8
CRITICAL

PATCH NOW!

Office

Lync 2013 may not be your top priority this month, but the JET and SharePoint issues are serious and will require a response. The Microsoft JET database issues are the cause of most concern, even though Microsoft has rated them important, as they are key dependencies across a broad platform. Microsoft JET has always been difficult to debug and now it seems to be causing security issues every month for the past year.

Add this update to your standard patch  schedule, and make sure that all of your legacy database applications have been tested before a full roll-out.

VULNERABILITIES

0
LOW

1
MODERATE

7
IMPORTANT2

3
CRITICAL

SCHEDULE

Dev Tools

Critical updates to Chakra Core and Microsoft Team Foundation server will require immediate attention while the remaining patches should be included in the developer update release schedule. With upcoming major releases to .NET Core this November, we will continue to see large updates in this area. As always, we suggest some thorough testing and a staged release cadence for your development updates.

VULNERABILITIES

0
LOW

0
MODERATE

6
IMPORTANT

6
CRITICAL

SCHEDULE

Adobe Flash Player

Adobe is back on form with a critical update included in this month’s regular patch cycle. Adobe’s update (APSB19-46) addresses two memory related issues which could lead to arbitrary code execution on the target platform. Both security issues (CVE-2019-8070 and CVE-2019-8069) have a combined base CVSS score of 8.2, so we suggest that you add this critical update to your Patch Tuesday release schedule.

VULNERABILITIES

0
LOW

0
MODERATE

0
IMPORTANT

2
CRITICAL

PATCH NOW!

Related Posts

Opinion

Migrate from Windows 7 to Windows 10 Before It’s Too Late: Everything You Need to Know!

Out-dated operating systems such as the beloved Windows 7, may still be functional but leave your company vulnerable. It is inherently risky to continue running Windows 7 and much safer to migrate to Windows 10 before it is too late.

Read More
Patch Tuesday

A Troubled Update to Critical Browser Patches for October Patch Tuesday

This October Patch Tuesday is an important but troubled patch release from Microsoft with a critical, out-of-band browser update that has been widely reported as causing a number of deployment issues.

Read More
Patch Impact Assessment Summary

Patch Impact Assessment October 2019

This October Patch Tuesday is an important but troubled patch release from Microsoft. With a browser out-of-band critical update that has been widely reported as causing a number of deployment issues.

Read More