You know the deal: October 2019. Pwned by a spreadsheet. Patch your Microsoft stuff

On the bright side, nothing from Adobe to install this month

Patch Tuesday October brings a relatively light patch load for admins and users, thanks to Adobe's decision to sit out this month's update bonanza.

Cloudy patch bundle from Microsoft

For Microsoft, the Patch Tuesday update is a manageable 59 CVE-listed bugs for Windows, Edge, Office, and Azure.

Among the nine critical issues patched this month is CVE-2019-1372, a flaw in Azure that allows end-users running on virtual machines to send and execute code on the host machines.

This is particularly bad because it is, in essence, both an elevation of privilege bug and a remote code execution vulnerability.

"An attacker could use this vulnerability to have an unprivileged function run by a user execute code at the level of System. That provides an attacker a nifty sandbox escape," explained Dustin Childs of the Trend Micro ZDI.

"Microsoft gives this an 'Exploitation Less Likely' Exploit Index rating, but if you use the Azure App Service, don’t depend on that and do apply the patch."

Aside from the Azure flaw, October's update addresses many of the usual security holes in Microsoft's offerings. Seven critical fixes address remote code execution flaws in the Chakra and VBScript tools that can be exploited through a poisoned web page.

The remote desktop client continues to be an area of concern, thanks to CVE-2019-1333. That flaw allows a bad actor to achieve remote code execution by tricking the mark into connecting to a malicious server.

While Microsoft doesn't usually consider Office bugs to be critical, admins should also pay special attention to those flaws, including CVE-2019-1327. An attacker would be able to get remote code execution by tricking the user into opening a poisoned file.

Considering how often users in a business setting will open Excel spreadsheet attachments without a second thought, we would argue this flaw is just as dangerous as any browser-based flaw.

Windows 10 Mobile also got in on the Patch Tuesday fun this month, as the platform was subject to CVE-2019-1314. The security bypass flaw lets users work around the Cortana lock screen to access a device.

"Although Microsoft details the bug, they aren’t fixing it. Instead, they recommend users of Windows 10 Mobile disable Cortana on the lock screen," explained Childs.

"If your organization uses devices with this OS, start rounding them up to make the change."

No Adobe fixes, but Android needs patching

Notably absent this month is Adobe. The media giant has opted not to post any fixes for Flash, Reader, Acrobat, or any of its other offerings. The most recent Adobe release was the September 25 update for ColdFusion.

Meanwhile, there is a late-arriving monthly patch from Google for Android. The mobile platform has received a number of fixes, most notably patches for three remote code execution bugs in the media framework that allow attacks via poisoned files.

Those who have Google-branded devices can get the Android updates directly from the Chocolate Factory, while others will have to wait for their device vendor or carrier to get around to releasing the patch.

Eight patches from SAP

Catalina island

MacOS 'Catalina' 10.15 comes packed with exclusive security fixes – gee, thanks, Apple


SAP, on the other hand, was more than happy to take part in this month's Patch Tuesday. The enterprise software powerhouse released patches for eight CVE-listed flaws.

Among the most serious were CVE-2019-0379, a security bypass bug thanks to a missing authentication check in NetWeaver and CVE-2019-0380, an information Disclosure bug in SAP Landscape Management.

Admins are advised to test and install all of the patches as soon as possible.

While October saw a reduced patch load thanks to the absence of Adobe and Google, those who dragged their feet on the updates for MacOS and Cisco may have those patches to install on top of today's bundle. ®

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022