October 2019 Patch Tuesday – 59 vulns, 9 Critical, Azure App Service, Remote Desktop Client, PoC for Windows Error Reporting

This month’s Microsoft Patch Tuesday addresses 59 vulnerabilities with only 9 of them labeled as Critical. Of the 9 Critical vulns, 7 of them are for browsers and scripting engines. The remaining 2 are for Azure App Service and Remote Desktop Client. In addition, PoC code has been published for an Important Windows Error Reporting vulnerability. Adobe has not posted any patches for Patch Tuesday, but did issue out-of-band patches for ColdFusion on September 24th.

Workstation Patches

Scripting Engine, Browser, and MSXML patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.

Azure App Service RCE

A Remote Code Execution vulnerability (CVE-2019-1372) exists in Azure App Service on Azure Stack which escapes the sandbox and can execute malicious code as System. If you have the Azure App Service deployed to your Azure Stack, this patch should be prioritized.

Remote Desktop Client RCE

Another Remote Code Execution vulnerability (CVE-2019-1333) has been patched in the Remote Desktop Client. Exploiting this vulnerability would require a target to connect to a malicious Remote Desktop Server.

Publicly Disclosed Privilege Escalation in Windows Error Reporting Manager

A vulnerability (CVE-2019-1315) in Windows Error Reporting manager has been publicly disclosed along with PoC code. Exploitation of this vulnerability allows an attacker to overwrite arbitrary files, which could lead to privilege escalation.

Out-of-Band Patches for Internet Explorer and Windows Defender

On September 23rd, Microsoft issued out-of-band patches for Internet Explorer and Windows Defender. To read more about these vulnerabilities, and how to detect and patch them, please see our recent blog post.

Adobe

At the time of this writing, Adobe has not released any patches for Patch Tuesday. However, they did release out-of-band patches on September 24th for ColdFusion 2016 and 2018, covering two Critical vulnerabilities and one Important.


*** This is a Security Bloggers Network syndicated blog from The Laws of Vulnerabilities – Qualys Blog authored by Jimmy Graham. Read the original post at: https://blog.qualys.com/laws-of-vulnerabilities/2019/10/08/october-2019-patch-tuesday