Quiet October Patch Tuesday Disrupted by IE Zero-Day

Microsoft issues servicing stack updates for most Windows operating systems, Oracle updates are pending, but Adobe has still not issued patches for Flash.

Microsoft released updates for Microsoft Windows, Internet Explorer and Edge browsers, Microsoft Office and Office 365, SQL Server, and some development tools. In addition, most of the Windows Operating Systems are getting another Service Stack Update. Microsoft has resolved a total of 59 vulnerabilities with no reported exploits or public disclosures. One might almost call this a quiet Patch Tuesday if not for the anxiety over the IE zero-day and fallout of reported issues that resulted over the past week.

Microsoft released Servicing Stack Updates (ADV990001) for all but Windows 7, Server 2008 and Server 2008 R2. SSUs are separate from the regular cumulative and security-only updates released by Microsoft. Update services in Windows will, at some point, become a prerequisite for future updates on affected systems. Microsoft usually releases the SSU at least a couple of months before the changes will be fully in effect. The shortest we have observed an SSU release to being required for future updates has been two months. Considering Microsoft just released a full set of SSUs for all Windows OSs in September, there are some sweeping changes coming down the road. We recommend setting aside some time to get these SSUs tested and prepare to start rolling them out, but approach with caution as all but two just received another update. We have seen cases where multiple SSUs were acceptable to move forward, but the October set could also completely supersede the September SSUs when Microsoft enforces them as a pre-requisite. Clear as MUD!

Printing Issues with IE Zero-Day

As you test updates this month keep in mind the IE zero-day that originally released on September 23. The IE zero-day (CVE-2019-1367) released for Windows 10 through cumulative updates for 1903 back to 1703, Server 2019 and Server 2016, but an IE rollup for pre-Windows 10 systems needed to be manually downloaded. On September 24, optional non-security cumulative updates for Windows 10 and monthly rollup previews for pre-win10 systems released, and while Microsoft did not specify, the IE Zero Day fix was included in these non-security updates. On October 3, new security updates, IE cumulative updates, and monthly rollup updates released to resolve printing issues that were being widely reported as a result of the fix. After this round of updates, there had still been reports of printing issues, but with the October 8 Patch Tuesday release, this additional release was added to the IE CVE. We recommend thorough testing if you experienced the printing issues introduced over the past couple of weeks.

As the Microsoft Knowledge Base notes, “The October security updates Microsoft is releasing on October 8, 2019 address a known printing issue that customers might have experienced after installing any of the security updates, IE cumulative updates, or monthly rollups that were released on September 23 or October 3 for all applicable installations of Internet Explorer 9, 10, or 11 on Microsoft Windows. Customers who have already installed the updates released on September 23 or October 3 should install the October security updates to address any printing issues you might have been experiencing. Please see the security updates table to download and install the October security updates.”

Updates on Adobe and Oracle

Adobe Flash Player did NOT release today. This makes three Patch Tuesday’s in 2019 that Flash did not release to resolve security vulnerabilities. If you have not already eliminated Flash from your environments, it would be wise to begin. Usage is falling off steadily, and as such, it is getting less attention.

Also, on the non-Microsoft front, October is another Oracle CPU release, so be on the lookout for releases next Tuesday, October 15 from Oracle.