October 2019 Patch Tuesday has seen Microsoft patch 59 vulnerabilities in its products including 8 critical flaws and 1 critical security advisory about the latest servicing stack updates. 49 vulnerabilities are rated important and 1 is of moderate severity. While prompt patching is strongly advisable, none of the flaws in this month’s round of updates are publicly known or are being used in attacks in the wild.
The patches have been issued for Azure, ChakraCore, Dynamics 365, Edge, Internet Explorer, Management Studio, Microsoft Graphics Component, Microsoft Office, Microsoft Office SharePoint, Microsoft JET Database Engine, Microsoft Scripting Engine, Secure Boot, SQL Server, Windows 10, Windows Hyper-V, Windows IIS, Windows Kernel, Windows NTLM, Windows RDP, and Windows Update Assistant. No updates have been released for Adobe flash Player this month.
Two of the critical vulnerabilities – CVE-2019-1238 and CVE-2019-1239 – affect the VBScript engine and could be exploited by sending specially crafted Microsoft Office documents or via specially crafted web pages that exploit the vulnerabilities via Internet Explorer.
Three critical memory corruption vulnerabilities affect the Chakra Scripting Engine – CVE-2019-1366, CVE-2019-1307 and CVE-2019-1308 – which could be exploited by convincing a user to visit a specially crafted web page, such as via malicious emails or malvertising.
One critical remote code execution flaw – CVE-2019-1333 – affects the Remote Desktop Client and could be exploited if a user connects to a malicious server, such as via a man-in-the-middle attack, DNS poisoning, or social engineering techniques.
An Azure App Service remote code execution flaw – CVE-2019-1372 – could allow an unprivileged function run by the user to execute code in the context of NT AUTHORITY\system and escape the Sandbox.
The last critical flaw is a remote code execution vulnerability in Microsoft XML – CVE-2019-1060 – which occurs when the Microsoft XML Core Services MSXML parser processes user input. The flaw could be exploited via a specially crafted web page.
Microsoft has also issued reminder for users of Windows 7 and Windows Server 2008 R2 that these operating systems are approaching end of life. Extended support will stop in two months and updates will no longer be issued after January 14, 2020.