Tim Lovegrove
Security Analyst
Welcome to the September 2019 Patch Roundup, where we look at the latest updates from the main vendors released on Patch Tuesday and dissect a few of the key releases. While the numbers are still quite high, this month thankfully appears to be a more standard set of releases, with few vulnerabilities that need emergency attention.
Microsoft
Microsoft released patches for 80 vulnerabilities, of which 18 are rated as Critical. While none are quite as headline-grabbing as in recent months, there’s still some pretty serious bugs being fixed and it’s a reminder that a vulnerability doesn’t need a fancy logo and a catchy name for it to need addressing.
With that said, RDP is still under close scrutiny after the recent “BlueKeep” announcements and gets another 4 bugs fixed this month. These require the victim to connect to a compromised site, rather than being usable by targeting vulnerable internet-facing RDP hosts, however the end result is similar, and they get a Critical rating from Microsoft.
A couple of interesting vulnerabilities have been fixed which are being actively attacked in the wild, mainly targeted against older OSes. These two, CVE-2019-1215 and CVE-2019-1214, exist deep down in WINSOCK and the Common Log File System respectively, and both require local access to the system to exploit, enabling elevation of privileges to the attacker.
A large proportion of the remaining bugs relate to the scripting engines for Microsoft’s browsers, Internet Explorer and Edge, whereby malicious code embedded in a webpage can result in Remote Code Execution. Browsers are always rich pickings for attackers and are likely to be the end-user’s main exposure to vulnerability risks, making it important to get them updated as quickly as possible.
Adobe
After a couple of quiet months, Adobe finally dropped some updates for Flash. Fortunately, both the fixed vulnerabilities are relatively minor and aren’t being actively attacked in the wild, making it an easy win to update. Nothing for Reader/Acrobat this month, which will be a relief to sysadmins.
Get in Touch
If you'd like any advice on the patches mentioned above, or any we haven't mentioned here, please get in touch with your Softcat Account Manager, or using the button below.