Wednesday , September 30 2020

Patch Tuesday, November 2019 issue – Krebs Security


Microsoft today announced updates to plug security holes in its software, including patches to fix at least 74 vulnerabilities in different flavors of Windows and programs that work on it. November updates include zero day patch patches Internet Explorer currently being exploited in the wild, as well as sneaky bug in certain versions of Office for Mac it bypasses security protections and has been publicly disclosed before today's patches.

More than a dozen vulnerabilities resolved in this month's announcement have been rated "critical", meaning they include vulnerabilities that can be exploited to install malware without any user actions, other than possibly hacking or malicious web browsing. – page or attachment for attachments captured.

Perhaps most worrying of these critical holes is the lack of a zero-day Internet Explosive Explorer (CVE-2019-1429) who has already seen active exploitation. Today's updates also address two other critical vulnerabilities in the same Windows component that handles different scripting languages.

Microsoft has also fixed a bug in Microsoft Office for Mac (CVE-2019-1457) that could allow attackers to bypass security protection in some versions of the program that could enable malicious macros.

Macros are pieces of computer code that can be embedded in Office files, and malicious macros are often used by malware checkers to compromise Windows systems. Usually, this is in the form of a prompt prompting the user to "enable macros" after opening an office document captured in an office delivered via email. Thus, Office has a function called "disable all macros without notification".

But Microsoft says all versions of Office still support older types of macros that do not comply with this setting and can be used as a malware push vector. Do Dornan from CERT / CC reports that while Office 2016 and 2019 for Mac will still push the user before executing these older macro types, Office for Mac 2011 does not warn users before opening them.

Other Windows applications or components that get critical patches today include Microsoft Exchange and Windows Media Player. In addition, Microsoft also delivered nine vulnerabilities – five of them critical – in Windows Hyper-V, add – on Windows Server operating system (and Windows 10 Pro) that allows users to create and operate virtual machines (other "guest" operating systems) from within Windows.

Although Adobe usually issues patches for its own Flash player component of the Patch browser Tuesday, this is the second month in a row that Adobe has not released security updates for Flash. However, Adobe today made security fixes for its various creative software packages, including Animate, Illustrator, Media Encoder and Bridge. Also, I neglected to notice last month that Adobe released a critical update for Acrobat / Reader that involved at least 67 errors, so if you have any of these products installed, please make sure they are patched and updated.

Finally, Google recently fixed a zero day shortage in its Chrome Web browser (CVE-2019-13720). If you're using Chrome and see an up arrow to the right of the address bar, an update is in progress; completely closing and restarting the browser should install any available updates.

Now seems like a good time to remind you all Windows 7 end users that Microsoft will stop delivering security after January 2020 (this end of life also affects Windows Server 2008 and 2008 R2). While businesses and other volume license buyers will have the option of paying for additional repairs at that point, all other Windows 7 users who want to stick with Windows will have to consider migrating to Windows. Windows 10 soon

Standard Chapter: Windows 10 wants to install patches all at once and restart your computer on its own schedule. Microsoft does not make it easier for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you want to be alerted to new updates when they are available, so you can choose when to install them, there is a setting for that in Windows Update. To get there, click the Windows key on the keyboard and type "Windows Update" in the pop-up box.

Keep in mind that while updating your Windows paths is a good idea, it's important to make sure you update only after backing up your important data and files. Reliable backup means you are unlikely to release when the strange cabriolet sticker causes system boot problems. So do yourself a favor and back up your files before installing any patches.

As always, if you have problems installing any of these patches this month, please feel free to comment below; there is a decent chance other readers will experience it, and even here with some helpful tips.

Tags: adobe, CVE-2019-1429, CVE-2019-1457, zero-day internet explorer, macros, microsoft, office for mac, windows 7 end of life

This entry was posted on Tuesday, November 12th, 2019 at 5:04 pm and is filed under "Time To Appear".
You can follow all comments on this entry through the RSS 2.0 feed.

You can skip to the end and leave a comment. Pinging is currently not allowed.

Source link