• October 2019 Patch Tuesday – watch out

    The patches just hit. I count 132 new patches in the Update Catalog — added to the 50 that were released on Oct. 3rd (and updated on the 4th).

    Dustin Childs, in his usual thorough overview for the Zero Day Initiative, pegs it at 59 separately identified security holes (CVEs). No new advisories. There are no new “Public” or “Exploited” patches. Our old friend CVE-2019-1367, the infamous IE zero-day isn’t on the list of new patches. Childs says:

    –       CVE-2019-1367 – Scripting Engine Memory Corruption Vulnerability
    This patch was actually released on September 23 to address active attacks reported on IE. However, this initial patch was only available via manual download and wasn’t on Windows Update or Automatic Update. On October 3, they updated and re-released the patch on all platforms. They also noted the updated patch addresses some quality issues introduced by the first patch. It seems the rush to create the update to stop the attacks had a bumpy start, and some reports indicate printing issues continue. If you’re worried about the risk, restricting access to jscript.dll is a good alternative to applying the patch. 

    Which is certainly giving Microsoft the benefit of the doubt. 🙂 I continue to recommend not using IE and setting your default browser to something – anything – else.

    Martin Brinkmann has his full listing on the Ghacks.net site.

    I’m happy to report that, after a five day absence, the official list of Servicing Stack Updates, ADV990001, is now up and working. Almost all of the SSUs are new this month. (Servicing Stack Updates fix Windows Update itself. Normally, Windows Update installs them automatically; you only need to worry about them if you’re manually downloading and installing updates.)

    It looks like the latest cumulative updates for all Win10 versions include the changes made for the October 3 out-of-band patch. Bugs and all, I would assume.


    Günter Born has posted several descriptions of RDP bugs in the last cumulative update to Win10 version 1903, KB 4524147. Betcha bucks to buckaroos that we’ll see the same bugs (along with all of the printer bugs and Start menu bugs and … ) in the latest cumulative update, KB 4517389.

    We’re still at MS-DEFCON 1: Don’t patch. For any reason, real or imagined.