Microsoft Unveils October 2019 Security Updates, Addressing 59 Vulnerabilities
Today, Microsoft has initiated the rollout of its October 2019 Patch Tuesday security updates, targeting 59 identified vulnerabilities within its Windows operating systems and affiliated software. Out of these, nine vulnerabilities are classified as critical, while 49 carry an important rating and one is considered moderate.
Notably, this month’s patch marks a significant milestone, as none of the patched vulnerabilities are currently recognized as publicly known or under active exploitation. Additionally, users can expect no bundled updates for Adobe Flash Player this month, breaking from previous trends.
In a timely reminder for users of Windows 7 and Windows Server 2008 R2, Microsoft has issued a notice highlighting the impending end of extended support for these systems within the next two months. No security updates will be provided for these platforms post-January 14, 2020, stressing the importance of timely upgrades.
Among the critical vulnerabilities that have been addressed, two are classified as remote code execution (RCE) flaws in the VBScript engine. These vulnerabilities, tracked as CVE-2019-1238 and CVE-2019-1239, enable attackers to manipulate memory and execute arbitrary code in the context of the affected user’s session. Remote exploitation may occur if victims are lured into visiting specially crafted websites through Internet Explorer.
Additionally, an exploit could arise via Microsoft Office documents or applications that embed an ActiveX control deemed ‘safe for initialization,’ leveraging the Internet Explorer rendering engine for nefarious purposes.
Continuing its trend from previous months, Microsoft has also rectified another reverse RDP attack vulnerability. This flaw allows adversaries to seize control of client computers that connect to malicious Remote Desktop Protocol (RDP) servers. Unlike the notable BlueKeep vulnerability, this newly patched RDP flaw necessitates user trickery into connecting to the compromised server, possibly through social engineering tactics, DNS poisoning, or Man-in-the-Middle (MITM) techniques.
Furthermore, the update addresses several critical RCE vulnerabilities within the Microsoft Edge browser’s Chakra scripting engine, as well as a critical flaw pertaining to privilege escalation tied to the Azure App Service on Azure Stack, highlighting the diverse range of vulnerabilities being mitigated.
Additional vulnerabilities marked as important encompass various Microsoft products and services, including Microsoft Windows, Internet Explorer, Microsoft Edge, and related applications such as Microsoft Office, SQL Server Management Studio, and Microsoft Dynamics 365. These vulnerabilities typically facilitate privilege escalation and can lead to information disclosure, cross-site scripting attacks, and service interruptions.
Business owners and IT administrators are strongly urged to implement these new security patches promptly to safeguard their systems from potential cyber threats. Timely patching is critical in the face of rising cybersecurity risks, as failure to do so could leave systems vulnerable to exploitation by malicious actors.
To apply the latest Microsoft security updates, users can navigate to Settings, access Update & Security, and select Windows Update to check for updates on their PC or choose to install updates manually.
Staying informed about cybersecurity changes and adhering to best practices is vital for business continuity in today’s ever-evolving threat landscape.