Patching in Review – Week 40 of 2019

Happy Cybersecurity Awareness Month, everyone! With yet another unexpected IE release this week, I can’t think of a better way to usher in the month! As we prepare for the upcoming Patch Tuesday, make sure you’re registered for our webinar to get our analysis on high profile vulnerabilities and known issues.

Internet Explorer Out-of-Band

Following up from the zero-day release last week, Microsoft released an additional Internet Explorer update right before Patch Tuesday with vague origins. In review, on 9/23 Microsoft released a surprise zero-day patch for IE (KB4522007) and Windows 10 to remediate actively exploited CVE-2019-1367. The next day, a series of Quality Preview patches and again, Windows 10 cumulatives were released for all supported OSes that included the CVE (Windows 10 1903 was a few days later).

Third time’s the charm, right? On October 3, Microsoft surprised us all with yet another re-release of the Internet Explorer patches (KB4521435), a final set of Windows 10 cumulatives, and a surprising Monthly Rollup for all legacy OSes. There’s little evidence around the changes here, but it’s suspected that this new set of patches contains further bug fixes that the initial release contained.

Here’s a list of the final KBs in case you’d like to get these out before the Patch Tuesday cycle:

Security Releases

Foxit released version 9.7 this week with 10 CVEs with the most severe CVEs acquiring a CVSS score of 8.7. Most of the vulnerabilities detail Remote Code Execution vulnerabilities that are dependent on opening a specially crafted malicious file that’s most commonly distributed in phishing attacks. Make sure to get this rolled out in your next patching cycle.

Third-Party Updates

While the Microsoft update have defined the week, other vendors have been releasing updates for their respective products. See the list below as these updates can still contain valuable security fixes.