patch tuesday
Threat Research

Microsoft fixes drop in number for October, 2019 updates

A relatively low number of vulnerabilities were addressed in this month's Windows update rollups

Last month started a bit overheated at Microsoft Security, when an out-of-band update was pushed for Windows in order to fix a browser bug being exploited in the wild.

However, October’s Patch Tuesday brings with it fixes for an unexpectedly low number of security vulnerabilities: 56. Of that, 20 are classified as Elevation of Privilege type of bugs, and another 14 as Remote Code Execution bugs. Notably, only 9 of this month’s fixed vulnerabilities are branded critical. Here is some highlights:

Remote Desktop Client Remote Code Execution

CVE-2019-1333

We and the computer security press covered RDP (Remote Desktop Protocol) vulnerabilities extensively a few months ago, due to the RDP Server vulnerability “BlueKeep” fixed in this year’s May Patch Tuesday.

This month, Microsoft fixed another bug in RDP, but this time the affected component here is the client side of RDP, whereas previous fixes (such as the one that addressed the BlueKeep vulnerability) targeted the server components. A bug that affects the client-side of RDP means a system is only in danger of being compromised if a user runs the RDP client (the “mstsc.exe” command) to establish a connection to a malicious RDP server set up by an attacker.

When you consider how unlikely it is that such an attack can succeed, it can be safely deemed a low impact bug.

Internet Explorer / Chakra / VBScript Remote Code Execution

CVE-2019-1060, CVE-2019-1238, CVE-2019-1239, CVE-2019-1307, CVE-2019-1308, CVE-2019-1335, CVE-2019-1366, CVE-2019-1371

Adding to the Internet Explorer bug fixed in the out-of-band update, 8 bugs involving Microsoft browsers have been fixed in this rollup: 3 in VBScript, 1 in Internet Explorer, and 4 in Chakra (Edge).

Win32k Elevation of Privilege

CVE-2019-1362

One of the 20 vulnerabilities classified as Elevation of Privilege (EoP), CVE-2019-1362 is a memory corruption vulnerability in Win32k – the Kernel-mode side of the Windows graphical component.

In theory, an exploit around an EoP vulnerability could permit an attacker (with limited access to a system) to gain more control over it. When you augment a browser exploit with an EoP exploit, it becomes especially dangerous – it can be used as a “sandbox escape,” breaking the measures put in place to limit the damage a browser exploit alone might cause.

Sophos coverage

Sophos has released following detection to address the vulnerabilities mentioned above.   Please note that additional vulnerabilities and corresponding detection may be released in the future.

CVE SAV IPS
CVE-2019-1335 Exp/20191335-A sid:2200885

How long does it take to have Sophos detection in place?

We aim to add detection to critical issues based on the type and nature of the vulnerabilities as soon as possible. Please note that some detection might not be available due to the availability of the data.