Microsoft today released updates to fix security holes in its software, including fixes to fix at least 74 weaknesses in various types of windows and programs running on it. November updates include fixes for a zero-day crash on Internet explorer currently being exploited in nature as well as a stealth bug in certain versions of Office for Mac which bypasses security protections and was publicly detailed before today's patches.
More than a dozen of the flaws addressed in this month's release are classified as "critical," meaning they involve weaknesses that can be exploited to install malware without any user action, except perhaps browsing a hacked site. or malicious. or open a trap file attachment.
Perhaps the most worrying of these critical holes is a zero-day Internet glitch
Explode Explorer (CVE-2019-1429) that has seen active exploration. Today's updates also address two other critical vulnerabilities in the same Windows component that handles multiple scripting languages.
Microsoft also fixed a bug in Microsoft Office for Mac (CVE-2019-1457) that could allow attackers to bypass security protections in some versions of the program that allow malicious macros to pass.
Macros are pieces of computer code that can be embedded in Office files, and malicious macros are often used by malware vendors to compromise Windows systems. This is often prompted to urge the user to "enable macros" after opening a trapped Office document delivered by email. Therefore, Office has a feature called "Disable all macros without notification."
But Microsoft says all versions of Office still support an older type of macros that don't respect this setting and can be used as a vector for sending malware. Will dornan CERT / CC reports that while Office 2016 and 2019 for Mac still prompts the user before running these older macro types, Office for Mac 2011 failed to warn users before opening them.
Other Windows applications or components that receive fixes for critical failures today include Microsoft Exchange and Windows Media Player. In addition, Microsoft has also fixed nine vulnerabilities – five of them critical – in the Windows Hyper-V, a complement to the Windows Server OS (and Windows 10 Pro) which allows users to create and run virtual machines (other "guest" operating systems) in Windows.
although Adobe usually issues patches to your Flash player browser component in Patch Tuesday, this is the second consecutive month that Adobe has not released any security updates for Flash. However, today Adobe has released security fixes for a variety of its creative software suites, including Animate, Illustrator, Media Encoder, and Bridge. Also, I forgot to note last month that Adobe released a critical update to Acrobat Reader which resolved at least 67 errors, so if you have one of these products installed, make sure they are up to date and up to date.
Finally, Google recently fixed a zero-day bug in your chrome plated Web browser (CVE-2019-13720). If you use Chrome and see an upward-facing arrow to the right of the address bar, there is an update pending; Closing and restarting the browser completely should install the available updates.
Now seems like a good time to remember everything you Windows 7 end users that Microsoft will stop sending security updates after January 2020 (this end-of-life also affects Windows Server 2008 and 2008 R2). Although companies and other volume license buyers have the option to pay for additional fixes after this point, all other Windows 7 users who wish to stay on Windows will need to consider migrating to Windows 10 coming soon.
Default warning: Windows 10 likes to install patches at once and restart the computer on its own schedule. Microsoft does not make it easy for Windows 10 users to change this setting, but it is possible. For all other users of the Windows operating system, if you prefer to be alerted about new updates when they are available, to choose when to install them, there is a setting for this in Windows Update. To get there, click the Windows key on your keyboard and type "windows update" in the box that appears.
Keep in mind that while it is a good idea to keep up to date on Windows patches, it is important to ensure that you are updating only after backing up your important data and files. A reliable backup means you're probably not going crazy when the odd buggy patch causes system startup problems. So do yourself a favor and back up your files before installing any patches.
As always, if you have crashes or issues installing any of these patches this month, feel free to leave a comment below; There is a decent chance that other readers have experienced the same and may even scream here with some helpful tips.
Tags: adobe, CVE-2019-1429, CVE-2019-1457, internet explorer zero day, macros, microsoft, office for mac, windows 7 end of life
This entry was posted on Tuesday, November 12th, 2019 at 17:04 and is filed under Time to Patch.
You can follow any comments on this entry through the RSS 2.0 feed.
You can skip to the end and leave a comment. Pinging is currently not allowed.