Qualys : October 2019 Patch Tuesday – 59 vulns, 9 Critical, Azure App Service, Remote Desktop Client, PoC for Windows Error Reporting
October 08, 2019 at 02:41 pm EDT
Share
This month's Microsoft Patch Tuesday addresses 59 vulnerabilities with only 9 of them labeled as Critical. Of the 9 Critical vulns, 7 of them are for browsers and scripting engines. The remaining 2 are for Azure App Service and Remote Desktop Client. In addition, PoC code has been published for an Important Windows Error Reporting vulnerability. Adobe has not posted any patches for Patch Tuesday, but did issue out-of-band patches for ColdFusion on September 24th.
Workstation Patches
Scripting Engine, Browser, and MSXML patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
Azure App Service RCE
A Remote Code Execution vulnerability (CVE-2019-1372) exists in Azure App Service on Azure Stack which escapes the sandbox and can execute malicious code as System. If you have the Azure App Service deployed to your Azure Stack, this patch should be prioritized.
Remote Desktop Client RCE
Another Remote Code Execution vulnerability (CVE-2019-1333) has been patched in the Remote Desktop Client. Exploiting this vulnerability would require a target to connect to a malicious Remote Desktop Server.
Publicly Disclosed Privilege Escalation in Windows Error Reporting Manager
A vulnerability (CVE-2019-1315) in Windows Error Reporting manager has been publicly disclosed along with PoC code. Exploitation of this vulnerability allows an attacker to overwrite arbitrary files, which could lead to privilege escalation.
Out-of-Band Patches for Internet Explorer and Windows Defender
On September 23rd, Microsoft issued out-of-band patches for Internet Explorer and Windows Defender. To read more about these vulnerabilities, and how to detect and patch them, please see our recent blog post.
Adobe
At the time of this writing, Adobe has not released any patches for Patch Tuesday. However, they did release out-of-band patches on September 24th for ColdFusion 2016 and 2018, covering two Critical vulnerabilities and one Important.
Related
Attachments
Original document
Permalink
Disclaimer
Qualys Inc. published this content on 08 October 2019 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 08 October 2019 18:40:03 UTC
Qualys, Inc. is a provider of a cloud-based platform delivering information technology (IT), security and compliance solutions. The Companyâs integrated suite of IT, security and compliance solutions delivered on Qualys' Enterprise TruRisk Platform enables its customers to identify and manage their IT and operational technology (OT) assets, collect, and analyze large amounts of IT security data, recommend, and implement remediation actions and verify the implementation of such actions. It provides its solutions through a software-as-a-service model, primarily with renewable annual subscriptions. Its cloud platform offers an integrated suite of solutions that automates the lifecycle of asset discovery and management, security and compliance assessments, and remediation for an organizationâs IT infrastructure and assets, whether such infrastructure and assets reside inside the organization, on their network perimeter, on endpoints or in the cloud.