IDG Contributor Network: A troubled update to critical browser patches for October Patch Tuesday

It was once all going so smartly. We had a couple of months of updates that each swiftly and readily addressed safety problems with out many issues. This October Patch Tuesday is crucial however patch unencumber from Microsoft. We’ve a crucial, out-of-band browser replace (CVE-2019-1367) that has been broadly reported as inflicting plenty of deployment problems. Our recommendation this month is to attend, check and degree your patch deployments. The one excellent information right here, is that we don’t seem to be all speeding round seeking to extinguish some other “screaming-hair-on-fire” Adobe factor. We’ve defined this month’s key problems in an infographic for this October Patch Tuesday, discovered right here.

Recognized problems

This phase addresses the recognized problems from the former month’s patch cycle, in addition to exceptional problems that can stick with older builds of Home windows desktop and server platforms.

Final month’s replace gave the look to be normally downside loose, however it seems that that a couple of reported issues had been enough for Microsoft to reply with an replace to earlier patches to get to the bottom of the next problems:

  • The Keyboard Lockdown Subsystem that won’t clear out key enter accurately.
  • A subject matter that stops netdom.exe from showing the brand new ticket-granting price tag (TGT) delegation bit for the show or question mode.
  • The safety bulletin CVE-2019-1318 that can purpose consumer or server computer systems that don’t improve Prolonged Grasp Secret (EMS) RFC 7627 to have greater connection latency and CPU usage. This factor happens whilst appearing complete Delivery Layer Safety (TLS) handshake from gadgets that don’t improve EMS, particularly on servers.
  • Programs and printer drivers that make the most of the Home windows JavaScript engine (jscript.dll) for processing print jobs might fail to act as anticipated.

And, if you’re on Home windows 10 builds older than unencumber 1803, then you may additionally have the next factor with this months’ October replace:

  • Positive operations, equivalent to rename, that you just carry out on information or folders which are on a Cluster Shared Quantity (CSV) might fail with the mistake, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This happens whilst you carry out an operation on a CSV proprietor node from a procedure that doesn’t have administrator privilege.

Microsoft has revealed a at hand information to all recognized problems for this patch unencumber right here: Safety replace deployment knowledge. In some other shining endorsement of the luck of Home windows 10, Unlock 1903, there are lately no recognized (reported) problems with any of the present updates. All earlier variations of Home windows have problems with updates to each Web Explorer (IE) and Microsoft Edge.

Primary revisions

The next updates had been made to present patches over the last month (patch cycle):

Every month, we destroy down the replace cycle into product households (as outlined through Microsoft) with the next elementary groupings:

  • Browsers (Microsoft IE and Edge)
  • Microsoft Home windows (each desktop and server)
  • Microsoft Place of job (Together with Internet Apps and Change)
  • Microsoft Building platforms ( NET Core, .NET Core and Chakra Core)
  • Adobe Flash Participant


Microsoft has launched ten updates to each browsers this month, with 5 rated as crucial through Microsoft affecting the Chakra, JavaScript and VBScript engine. If we handiest had to speak about those patches, then we’d have a very easy process this month, with an ordinary time table for freeing browser patches. Then again, Microsoft launched an out-of-band (OOB) patch to IE in an try to get to the bottom of a reported vulnerability within the IE script engine (CVE-2019-1367). It’s a correct zero-day factor, with huge reviews of exploitation that handiest require a talk over with to a specifically crafted webpage. It is a unhealthy one.

This patch is inflicting issues. We’ve observed reviews of printers now not running (Kyocera’s particularly), tough to troubleshoot line-of-business (LOB) software eventualities and issues of JavaScript scripts (referencing JSCRIPT.DLL). This OOB replace stuck us all through wonder and I think at the moment that Microsoft will have equipped some extra documentation upfront. After running with our crew, we wouldn’t have a easy prescriptive subsequent step for this replace. This doesn’t occur that incessantly. I believe that each and every group must assess the dangers of now not deploying this replace with dangers to core packages, and imaginable (and most likely) printing problems. Our recommendation: check your core packages, check your entire printers, after which degree a measured roll-out on a departmental foundation.

Home windows

Microsoft has launched 38 patches to the Home windows platform this month, with two rated as crucial (CVE-2019-1060, CVE-2019-1333) and a crucial servicing stack advisory (ADV990001). Once more, we’re seeing updates to acquainted home windows elements: Microsoft JET Engine, RDP, HTTP, APPX, GDI and XML Core Products and services. This month the servicing stack updates come with fixes to get to the bottom of:

  • an issue with the Protected Boot revocation listing (DBX) replace revel in to keep away from more than one restarts whilst you deploy the DBX replace on a tool the place the Credential Guard carrier isn’t working.
  • a subject through which the Protected Boot revocation listing (DBX) isn’t carried out when the Protected Boot permit listing (DB) replace is empty.

With reported issues of Cortana, printing problems, tough Jscript troubleshooting eventualities or issues of rebooting, this massive advanced replace would require intensive checking out. We propose that the majority organizations WAIT for a couple of extra days, in finding out the place the troublespots are, after which check broadly prior to a common deployment.

Microsoft Place of job

This month’s replace brings a number of updates to Microsoft SharePoint Server with six updates rated as vital for Microsoft Place of job packages. Essentially the most severe vulnerabilities relate to a far off code execution situation in Microsoft Excel 2016. Each CVE-2019-1327 and CVE-2019-1331 are incorporated in one replace that may be discovered right here. As a phrase of caution, the SharePoint server updates (addressing an XSS factor) can’t be uninstalled. Make a backup of your server prior to this replace. Upload those updates (each desktop and server platforms) for your usual, scheduled replace unencumber time table

Building equipment

With this replace cycle, we’re nonetheless seeing updates to the Chakra engine, however few patches to core construction platforms equivalent to .NET. For October, Microsoft has launched a crucial replace for its Azure App Carrier (please sanitize your inputs) and two vital updates (CVE-2019-1313, CVE-2019-1376) to the SQL Server Control studio (SSMS). I take into account a time, when the SSMS was once a big control interface and automatically up to date. It will get so much much less consideration now, and I imagine it’s on account of the overall transfer to the cloud for lots of company databases. Upload the SSMS replace for your scheduled replace cycle. You don’t have a decision with the Azure platform. Microsoft will maintain these kinds of required adjustments.

Along with the common Patch Tuesday safety comparable updates, the Microsoft .NET framework receives common repairs updates. For this October, Microsoft has now not launched any safety updates for the .NET platform, however there are worm fixes launched for .NET together with:

  • Home windows 10 1903 and Home windows Server, model 1903 (4524100)
  • .NET Framework three.five, four.eight (4515871)
  • Home windows 10 1809 (October 2018 Replace) Home windows Server 2019 (4524099)
  • .NET Framework three.five, four.7.2 (4515855)
  • .NET Framework three.five, four.eight (4515843)

I believe that that is the primary time that we have got a Microsoft replace to an open supply venture with a patch to the Open Enclave venture to deal with a knowledge disclosure factor (CVE-2019-1369). If you need to learn extra about this, you’ll be able to take a look at the put up from Mark Russinovich at the confidential computing consortium. These kind of adjustments would require intensive checking out, and so upload those patches for your usual construction unencumber time table.


Adobe has now not launched any updates for Home windows this month. This is excellent news and it’s now a couple of months since we noticed any updates for Flash or Reader. If this can be a pattern, it is vitally welcome. As you don’t need to replace Adobe this month, we advise that you’ve got a margarita.

This text is revealed as a part of the IDG Contributor Community. Need to Sign up for?

Copyright © 2019 IDG Communications, Inc.

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: