November is bringing arctic winds to many parts of the United States, but as we sit and shiver and try to stay warm (and in my case, dream of the sunny Caribbean islands where I’ll be sailing later in the month), the hackers keep on hacking and the attackers keep on attacking, exploiting whatever vulnerabilities they can find in operating system and application software.

Perhaps Microsoft can take comfort in the fact that their products are no longer alone in being targeted by attackers. As the Pwn2Own contest in Tokyo this month demonstrated, IoT devices are the new favorite victims, with Amazon Echos, Samsung and  Sony smart TVs, and the Galaxy S10 smart phone all being successfully compromised.

Meanwhile, the UK Labour Party was hit by a sophisticated and large-scale DDos (Distributed Denial of Service) attack, a ransomware attack hit Mexico’s Petroleos Mexicanos, disrupting the company’s billing systems, and there are reports of a cyber-attack on the Kudankulam nuclear power plant in Tamil Nadu, India, to name just a few of the most recent IT security incidents around the globe.

 

Keeping systems updated is only one component in protecting against attacks, but it’s an important one, and one of the most cost-effective. As usual, Microsoft released updates for all supported operating systems this month, along with patches for both web browsers, Office, Exchange, Visual Studio, and Azure Stack.

Let’s look at some of the specifics of this month’s software updates and the vulnerabilities that they address.

Operating system, OS components, and web browser updates

I’m going to first mention Windows 10 version 1909, since it’s a long-awaited update (also called the Windows 10 November 2019 Update and code-named Vanadium). Build number is 18363. This is a minor feature update, as Microsoft has been doing in the fall (along with a major update in the spring).  This update has been in testing for a while and was distributed to developers in October. It will now be offered via Windows Updates to mainstream users.

Windows 10 and Windows Server 2019

This month’s patches address forty-six vulnerabilities in Windows 10 versions 1803, 1809, and 1903. These include five, four, and two that are rated as critical, respectively. The critical vulnerabilities are remote code execution issues.

See the following KB articles for information about the issues addressed by the August 13 updates for the various versions of Windows 10:

  • Windows 10 version 1803 – KB4525237 – contains updates to improve security when using Internet Explorer and Microsoft Edge, updates to improve security when using external devices (such as game controllers, printers, and web cameras) and input devices such as a mouse, keyboard, or stylus, and updates to improve security when using Microsoft Office products.
  • Windows 10 version 1809 KB4523205 – Likewise contains Updates to improve security when using Internet Explorer and Microsoft Edge, updates to improve security when using external devices (such as game controllers, printers, and web cameras) and input devices such as a mouse, keyboard, or stylus, and updates to improve security when using Microsoft Office products.
  • Windows 10 version 1903 and 1909 –KB4524570 – contains updates to improve security when using Internet Explorer and Microsoft Edge. These include addressing an issue in the Keyboard Lockdown Subsystem that might not filter key input correctly; protections against the Intel® Processor Machine Check Error vulnerability (CVE-2018-12207); protections against the Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135); and security updates to Microsoft Scripting Engine, Internet Explorer, Windows App Platform and Frameworks, Microsoft Edge, Windows Fundamentals, Windows Cryptography, Windows Virtualization, Windows Linux, Windows Kernel, Windows Datacenter Networking, and the Microsoft JET Database Engine.

 

You can find details about each of the patches in the corresponding KB articles linked to each OS version above. Note that some of the cumulative updates also address non-security issues. This article focuses on the security-related fixes.

Older client operating systems

If you’re still using an older supported version of Windows, you’ll still need to be diligent about applying this month’s updates as critical vulnerabilities apply across all versions.

The following security updates apply to previous Windows operating systems:

  • Windows 8.1/Server 2012 R2 – Monthly Rollup: KB4525243 and Security-only Update: KB4525250. Includes security updates to Microsoft Scripting Engine, Internet Explorer, Microsoft Graphics Component, Windows Input and Composition, Windows Cryptography, Windows Virtualization, Windows Kernel, Windows Datacenter Networking, and the Microsoft JET Database Engine.
  • Windows 7 – Monthly Rollup: KB4525235 and Security-only Update: KB4525233. Includes security updates to Microsoft Scripting Engine, Windows Input and Composition, Microsoft Graphics Component, Windows Cryptography, Windows Virtualization, Windows Kernel, Windows Datacenter Networking, and the Microsoft JET Database Engine.

You can find details about each of the patches in the corresponding KB articles linked to each OS version above.

Prior Windows Server operating systems

Windows Server 2008 and 2012 received regular monthly and security only updates as follows:

  • Window Server 2008 SP2 – Security Monthly Quality Rollup for Windows Server 2008 (KB4525234) and Security Only Quality Update for Windows Server 2008 (KB4525239). Provides protections against the Intel® Processor Machine Check Error vulnerability (CVE-2018-12207). Provides protections against the Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135). Includes security updates to the Microsoft Scripting Engine, Internet Explorer, Microsoft Graphics Component, Windows Input and Composition, Windows Cryptography, Windows Virtualization, Windows Kernel, Windows Datacenter Networking, and the Microsoft JET Database Engine.
  • Windows Server 2012 R2 – Security Monthly Quality Rollup for Windows Embedded 8 Standard and Windows Server 2012 (KB4525246) and Security Only Quality Update for Windows Embedded 8 Standard and Windows Server 2012 (KB4525253). Provides protections against the Intel® Processor Machine Check Error vulnerability (CVE-2018-12207). Provides protections against the Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135). Includes security updates to the Microsoft Graphics Component, Windows Input and Composition, Windows Cryptography, Windows Virtualization, Windows Kernel, Windows Datacenter Networking, and the Microsoft JET Database Engine.
  • Cumulative Update for Windows Server 2016 (KB4525236)
  • Cumulative Update for Windows Server version 1909 ((KB4524570)

Microsoft web browsers

Internet Explorer got only two security fixes this month, but both of the vulnerabilities patched are rated critical. These include a VBScript remote code execution vulnerability and a scripting engine memory corruption vulnerability.

Microsoft Edge gets patches for four vulnerabilities, with all four rated critical. These include three scripting engine memory corruption issues and a security feature bypass vulnerability.

Other Microsoft products and Services

Updates were also released this month for the following software:

  • ChakraCore
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Open Source Software
  • Microsoft Exchange Server
  • Visual Studio
  • Azure Stack

Known issues

There are several known issues with the various updates, so please check out the “Known Issues” in each of the applicable KB articles.

  • KB4484113 Microsoft Exchange Server
  • KB4523171 Microsoft Exchange Server
  • KB4523205 Windows 10, version 1809, Windows Server 2019
  • KB4524570 Windows 10, version 1903, Windows Server version 1903
  • KB4525232 Windows 10
  • KB4525236 Windows 10, version 1607, Windows Server 2016
  • KB4525237 Windows 10, version 1803, Windows Server version 1803
  • KB4525241 Windows 10, version 1709
  • KB4525243 Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)
  • KB4525246 Windows Server 2012 (Monthly Rollup)
  • KB4525250 Windows 8.1, Windows Server 2012 R2 (Security-only update)
  • KB4525253 Windows Server 2012 (Security-only update)

Critical vulnerabilities

The following are some examples of the critical vulnerabilities addressed by this month’s updates (this is not a comprehensive list of all vulnerabilities patched this month):

CVE-2019-1389 – Windows Hyper-V Remote Code Execution Vulnerability. A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.

CVE-2019-1419 – OpenType Font Parsing Remote Code Execution Vulnerability. A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2019-1441 – Win32k Graphics Remote Code Execution Vulnerability. A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2019-1430 – Microsoft Windows Media Foundation Remote Code Execution Vulnerability. A remote code execution vulnerability exists when Windows Media Foundation improperly parses specially crafted QuickTime media files. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

CVE-2019-1390 – VBScript Remote Code Execution Vulnerability. A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.

CVE-2019-1413 – Microsoft Edge Security Feature Bypass Vulnerability. A security feature bypass vulnerability exists when Microsoft Edge improperly handles extension requests and fails to request host permission for all_urls. An attacker who successfully exploited this vulnerability could trick a browser into installing an extension without the user’s consent.

CVE-2019-1426 – Scripting Engine Memory Corruption Vulnerability. A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge (HTML-based). The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.

Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.