October Patch Tuesday 2019
Microsoft released updates for Microsoft Windows, Internet Explorer and Edge browsers, Microsoft Office and Office 365, SQL Server, and some development tools. In addition, most of the Windows Operating Systems are getting another Service Stack Update. Microsoft has resolved a total of 59 vulnerabilities with no reported exploits or public disclosures. One might almost call this a quiet Patch Tuesday if not for the anxiety over the IE zero-day and fallout of reported issues that resulted over the past week.
Microsoft released Servicing Stack Updates (ADV990001) for all but Windows 7, Server 2008 and Server 2008 R2. SSUs are separate from the regular cumulative and security-only updates released by Microsoft. Update services in Windows will at some point become a pre-requisite for future updates on affected systems. Microsoft usually releases the SSU at least a couple months before the changes will be fully in effect. The shortest we have observed an SSU release to being required for future updates has been two months. Considering Microsoft just released a full set of SSUs for all Windows OSs in September, there are some sweeping changes coming down the road. We recommend setting aside some time to get these SSUs tested and prepare to start rolling them out, but approach with caution as all but two just received another update. We have seen cases where multiple SSUs were acceptable to move forward, but the October set could also completely supersede the September SSUs when Microsoft enforces them as a pre-requisite. Clear as MUD!
As you test updates this month keep in mind the IE zero-day that originally released on September 23. The IE zero-day (CVE-2019-1367) released for Windows 10 through cumulative updates for 1903 back to 1703, Server 2019 and Server 2016, but an IE rollup for pre Windows 10 systems needed to be manually downloaded. On September 24 optional non-security cumulative updates for Windows 10 and monthly rollup previews for pre-win10 systems released and while Microsoft did not specify, the IE Zero Day fix was included in these non-security updates. On October 3 new security updates, IE cumulative updates, and monthly rollup updates released to resolve printing issues that were being widely reported as a result of the fix. After this round of updates there had still been reports of printing issues, but with the October 8 Patch Tuesday release this additional release was added to the IE CVE. We recommend thorough testing if you experienced the printing issues introduced over the past couple weeks.
As the Microsoft Knowledge Base notes, “The October security updates Microsoft is releasing on October 8, 2019 address a known printing issue that customers might have experienced after installing any of the security updates, IE cumulative updates, or monthly rollups that were released on September 23 or October 3 for all applicable installations of Internet Explorer 9, 10, or 11 on Microsoft Windows. Customers who have already installed the updates released on September 23 or October 3 should install the October security updates to address any printing issues you might have been experiencing. Please see the security updates table to download and install the October security updates.”
Adobe Flash Player did NOT release today. This makes three Patch Tuesday’s in 2019 that Flash did not release to resolve security vulnerabilities. If you have not already eliminated Flash from your environments it would be wise to begin. Usage is falling off steadily and as such it is getting less attention.
Also on the non-Microsoft front, October is another Oracle CPU release, so be on the lookout for releases next Tuesday, October 15 from Oracle.