The second Tuesday of the month is here, and if you manage tons of endpoints, this can only mean one thing to you: Patch Tuesday updates. This Patch Tuesday brings us updates to fix 59 vulnerabilities, eight of which are classified as Critical and should not be neglected. Microsoft has also released one advisory (Windows 10 Servicing Stack update), which is also termed Critical.
Patch Tuesday updates for Microsoft products
Microsoft Patch Tuesday October 2019 covers vulnerabilities in:
- Azure
-
Internet Explorer
-
Microsoft Edge
-
Microsoft Scripting Engine
-
Microsoft Windows
-
SQL Server
-
ChakraCore
-
Microsoft Office, Office services, and web apps
-
Microsoft Dynamics 365
-
Windows Update Assistant
Let’s take a look at the noteworthy vulnerabilities patched this Patch Tuesday.
Two New Technology LAN Manager (NTLM) authentication vulnerabilities patched
Two vulnerabilities that bypass the message integrity code (MIC) protection on NTLM authentication and cause full domain compromise in networks have been fixed this Patch Tuesday. These vulnerabilities, if unpatched, will allow attackers to bypass other NTLM relay mitigations, such as Extended Protection for Authentication (EPA), and target service principal name (SPN) validation for certain old NTLM clients that are sending LMv2 challenge responses. In short, if exploited this vulnerability could cause all Active Directory (AD) customers with default configurations to be vulnerable to an MIC bypass that allows for an NTLM relay attack.
Critical vulnerabilities patched
Apart from the vulnerabilities mentioned above, eight critical vulnerabilities have been addressed. These vulnerabilities are present in Azure, Microsoft Scripting Engine, and Windows Remote Desktop Protocol (RDP). Vulnerabilities under this severity level are easily exploitable and can result in remote code execution (RCE) and memory corruption, all with little to no interaction on the part of the user. As always, Critical vulnerabilities should be given the utmost importance and be remediated first.
Other important vulnerabilities
There are three other interesting vulnerabilities that should be taken care of. Two of them are RCE vulnerabilities found in VBScript Engine, while the other one is in the Remote Desktop client.
-
The VBScript vulnerabilities (CVE-2019-1238 and CVE-2019-1239) can be exploited by sending malicious Office documents as an attachment or through specially crafted web sites that trigger the vulnerability in Internet Explorer.
-
The Remote Desktop client RCE vulnerability is assigned the ID CVE-2019-1333 and allows a malicious server to execute commands on a client when they connect via RDP.
Non-security updates
Microsoft has released several non-security updates for Microsoft Office 2016, Outlook 2016, Outlook 2013, Outlook 2010, Word 2016, and so on. Non-security updates can ideally be patched after addressing the security updates.
How to handle Microsoft Patch Tuesday updates for October 2019
If you’re a sysadmin, you have your hands full for the next couple of weeks with these Patch Tuesday updates. However, you can follow the practices below to make the patching process efficient and hassle-free.
-
Prioritize patching for the eight critical vulnerabilities: CVE-2019-1372, CVE-2019-1366, CVE-2019-1060, CVE-2019-1307, CVE-2019-1308, CVE-2019-1239, and CVE-2019-1238.
-
Automate all other Important and Moderate updates right after that.
-
Schedule Patch Tuesday updates to go out during non-business hours to prevent downtime.
-
Create a test group to verify the stability of Patch Tuesday updates before rolling them out to production machines.
-
Decline less critical patches and roll them out after the important issues have been addressed.
-
Postpone or schedule reboots for critical machines and servers.
-
Run patch reports to ensure network endpoints are up-to-date with the latest patches.
We can already hear you sighing just thinking about this tedious process.
But don’t worry, we’ve got you covered.
ManageEngine offers two solutions—Desktop Central and Patch Manager Plus. Both help you automate all the best practices mentioned above from one central console. Try both solutions free for 30 days to keep more than 750 applications, including over 300 third-party applications, up-to-date.
Don’t miss out on our webinar on Patch Tuesday October 2019. We’ll have a rundown on October Patch Tuesday updates, analysis of critical vulnerabilities, as well as discussion of the impact of ignoring this month’s patches and other complexities that come along with patching these vulnerabilities. Register now!