This month, Microsoft released updates for Microsoft Windows, Internet Explorer and Edge browsers, Microsoft Office and Office 365, Exchange Server, ChakraCore, Secure Boot, Visual Studio, and Azure Stack. Microsoft has resolved a total of 75 vulnerabilities that include a zero-day IE vulnerability (CVE-2019-1429) and an Excel vulnerability (CVE-2019-1457) that has been publicly disclosed. The most exciting non-Microsoft update was the recent Google Chrome zero-day (CVE-2019-13720). Adobe has released security updates for Animate CC, Illustrator CC, Media Encoder and Bridge CC, resolving a total of 11 vulnerabilities. All are rated as priority 3.
There are some Windows end-of-life dates that you should be aware of for both this month and January. If you are continuing with Windows 7 or Server 2008/2008 R2, you should also be aware of some additional details from a blog post in November that explains how to get access and ensure your systems are prepared for extended support.
As you may recall, in October, Microsoft had released Servicing Stack Updates (SSU) across the board. Well, for November, they released updated SSUs for all but Windows 10 1703. Update services in Windows will, at some point, become a prerequisite for future updates on affected systems. Microsoft usually releases the SSU at least a couple of months before the changes will be fully in effect. The shortest we have observed an SSU release to being required for future updates has been two months. Consider taking a conservative approach this month. Do some light testing and see what happens in December before going too crazy with your SSU rollout.
Microsoft has resolved a Critical vulnerability (CVE-2019-1429) in Internet Explorer that could allow for an attacker to execute code remotely. An attacker could execute arbitrary code in the context of the current user if they corrupt memory in a specific way. The vulnerability only gains them equal access to the current user, so proper privilege management would mitigate the attacker’s ability to take full control of the system without using additional elevation of privilege exploits. For attack vectors, an attacker could craft a website or embed an ActiveX control marked with “safe for initialization” in an application or Office document that hosts the IE rendering engine. Security training on common phishing and user-targeted attack methods could further reduce the risk of this vulnerability being exploited. But since it is already being exploited in the wild, it is highly recommended to get the patch rolled out quickly to resolve the vulnerability completely.
Microsoft has resolved a publicly disclosed vulnerability (CVE-2019-1457) in Excel that could bypass security features. An attacker could embed a control in an Excel worksheet that specifies a macro should be run. Whatever is executed in the macro that was triggered by bypassing the security settings of Excel would be the real risk of this vulnerability. This vulnerability is not currently being exploited in the wild, but since it has been publicly disclosed, threat actors have had a jump start on being able to develop an exploit to take advantage of the CVE. This puts the vulnerability at higher risk of exploitation.
There seem to be a string of browser exploits recently. In September, there was an Internet Explorer zero-day (CVE-2019-1367) followed by a Google Chrome zero-day that released on November 1, and now we have the November Patch Tuesday IE zero-day (CVE-2019-1429). Patch those browsers! The Chrome update (78.0.3904.87) resolved two vulnerabilities, one of which was the aforementioned CVE-2019-13720. The vulnerability is a use-after-free memory corruption exploit that allows an attacker to execute malicious code.
Windows 10 branch 1803 for customers running on Home, Pro and Pro for Workstations editions has received its final security update today. If you are running on Enterprise and Education editions, you have until November 10, 2020, to transition. The next Windows end-of-life date will be January 8 when Windows 7 and Server 2008 and 2008 R2 reach their inevitable end. Or is it really the end? For some, there may be ways to carry on with updates for these platforms for a fee or in some cases for free. Check out the details in Microsoft’s October 17 blog post on how to get extended security updates for eligible Windows devices.