Patch Impact Assessment (Threatscape Report) September 2019

Here’s our 2019 Patch Impact assessment report reformatted with our new “Threatscape” report, showing a more complete assessment of the risk of not installing September’s Patch Tuesday updates in an easily-digestible, at-a-glance report. We’ll be using this format going forward (unfortunately it wasn’t ready in time for this month’s Patch Impact Assessment post).

Vulnerability Assessment

3

PUBLICLY DISCLOSED

2

EXPLOITED

2

ZERO-DAY

This September update cycle brings two zero-days and three publicly reported vulnerabilities in the Windows platform. These two zero-days (CVE-2019-2014 and CVE-2019-1215) have credibly reported exploits which could lead to arbitrary code execution on the target machine. Both browser and Windows updates require immediate attention and your development team will need to spend some time with the latest patches to .NET and .NET Core.

Threatscape

Exploitability

CVE-2019-2014 (Zero-day)

CVE-2019-1215 (Zero-day)

CVE-2019-1208 (Edge and IE)

CVE-2019-1236 (Edge and IE)

CVE-2019-1295

CVE-2019-1257

CVE-2019-1296

CVE-2019-1138 (Chakra)

CVE-2019-1217 (Chakra)

CVE-2019-1237 (Chakra)

CVE-2019-1298 (Chakra)

CVE-2019-1300 (Chakra)

CVE-2019-8070

CVE-2019-8069

Windows

PATCH NOW!

VULNERABILITIES

5
CRITICAL

44
IMPORTANT

1
MODERATE

0
LOW

Microsoft has attempted to address five critical vulnerabilities and a further 44 security issues that have been rated as important by Microsoft. The “elephant in the room” is the two zero-day publicly exploited vulnerabilities.

As mentioned previously, this is a big update, with credible reports of publicly exploited vulnerabilities on the Windows platform. Add this update to your “Patch Now” release schedule.

Browsers

PATCH NOW!

VULNERABILITIES

8
CRITICAL

2
IMPORTANT

8
MODERATE

1
LOW

Microsoft is working to address eight critical updates that could lead to a remote code execution scenario. A pattern is emerging with a recurring set of security issues raised against Chakra Scripting Engine, VBScript and Microsoft Scripting Engine.

All of these issues affect the most recent versions of Windows 10 (both 32-bit and 64-bit) and apply to both Edge and Internet Explorer (IE). The VBScript issues (CVE-2019-1208) and CVE-2019-1236) are particularly nasty as a visit to a website may lead to the inadvertent install of a malicious ActiveX control which then effectively cedes control to an attacker.

Office

SCHEDULE

VULNERABILITIES

3
CRITICAL

7
IMPORTANT

1
MODERATE

0
LOW

Lync 2013 may not be your top priority this month, but the JET and SharePoint issues are serious and will require a response. The Microsoft JET database issues are the cause of most concern, even though Microsoft has rated them important, as they are key dependencies across a broad platform. Microsoft JET has always been difficult to debug and now it seems to be causing security issues every month for the past year.

Dev Tools

SCHEDULE

VULNERABILITIES

6
CRITICAL

6
IMPORTANT

0
MODERATE

0
LOW

Critical updates to Chakra Core and Microsoft Team Foundation server will require immediate attention while the remaining patches should be included in the developer update release schedule. With upcoming major releases to .NET Core this November, we will continue to see large updates in this area. As always, we suggest some thorough testing and a staged release cadence for your development updates.

Adobe

PATCH NOW!

VULNERABILITIES

2
CRITICAL

0
IMPORTANT

0
MODERATE

0
LOW

Adobe is back on form with a critical update included in this month’s regular patch cycle. Adobe’s update (APSB19-46) addresses two memory related issues which could lead to arbitrary code execution on the target platform. Both security issues (CVE-2019-8070 and CVE-2019-8069) have a combined base CVSS score of 8.2, and so we suggest that you add this critical update to your Patch Tuesday release schedule.

Leave a Comment

Your email address will not be published. Required fields are marked *

Understanding the Threatscape Report

The Readiness “Threatscape” report summarizes your risk of not applying this month’s patches, using all publicly-available vulnerability data.

It’s important to note that it’s equally important to know the risk to your applications if you DO apply this month’s patches. This is of course is dependent on:

  • The current state (version and build) of each platform (Windows, Office, Browser, etc.).
  • Which applications are part of your portfolio.

Luckily, determining the risk of applying patches is easy (and fast and dynamic, thanks to our Dynamic Platform Assessment tool.

To understand what will happen when you apply this month’s patches, contact us and assess your first 25 applications for free.

For each major platform, the pie chart shows the breakdown of vulnerabilities rated critical, important, moderate and low. These match the tables below the graph.

The size of the pie represents the total number of vulnerabilities. The larger the pie, the more vulnerabilities present.

The position of the pie on the vertical axis represents the relative risk to your application portfolio. The higher the position, the higher the exploitability.

Related Posts

Patch Tuesday

A Fat Windows Update for September’s Patch Tuesday

Microsoft released 129 updates to its Windows ecosystem this month. The good news: we are not dealing with any zero-days or publicly reported vulnerabilities.

Read More
Assurance Dashboard

Assurance Security Dashboard September 2020

Here is our Assurance Security dashboard that shows the risk associated with this month’s Patch Tuesday updates.

Read More
Patch Tuesday

A zero-day and testing of key printing features will drive August Windows updates

Though a DNS-spoofing vulnerability in Windows has been rated as a zero-day, the focus for this month’s updates should be on testing key Windows features prior to deployment.

Read More