Patch batch
Microsoft’s October 2019 Patch Tuesday has landed, offering relief from no less than 59 security vulnerabilities.
The nine vulnerabilities marked as critical include a remote code execution (RCE) flaw involving Microsoft XML Core Services (CVE-2019-1060).
Exploit scenarios for the bug would involve tricking a target into visiting a booby-trapped website set up to parse MSXML through their browser.
Internet Explorer is vulnerable to the trick and therefore needs patching.
Other critical vulnerabilities cover flaws in Windows Remote Desktop Client that also creates a means to inject malicious code onto victims’ Windows PCs.
The bugs are of note because the underlying Remote Desktop Protocol (RDP) behind the technology has become a vector of ransomware attacks over recent months.
Satnam Narang, senior research engineer at vulnerability scanner firm Tenable, commented: “Two more vulnerabilities in Remote Desktop were patched this month.
“CVE-2019-1333 is an RCE vulnerability in Remote Desktop Client which requires an attacker to convince a user to connect to a malicious server using the RDP, or compromise an existing server and host malicious code on it, while waiting for vulnerable clients to connect.
“CVE-2019-1326 is a denial-of-service flaw in RDP that would allow an attacker to exploit it by connecting to the server and sending specially crafted requests, causing the RDP service on the vulnerable server to stop responding,” he added.
An overview of the bugs covered by the batch is available via the SANS Institute’'s Internet Storm Centre.
Microsoft’s Security Update Guide provides links to these various updates.
