Microsoft patches nine critical vulnerabilities in October 2019 Patch Tuesday

In total, 59 vulnerabilities have been fixed in Microsoft's latest slew of security fixes

Microsoft has released its latest batch of 'Patch Tuesday' security updates, fixing 59 vulnerabilities in total. The company claims that, this month, there are no zero-day security flaws requiring a quick fix.

Of all the vulnerabilities patched, nine are rated as 'critical,' 49 are rated as 'important,' while one is considered 'moderate' in severity.

The updates cover Windows 10, Dynamics 365, ChakraCore, Internet Explorer, Edge, SQL Server Management Studio, Microsoft Office, Windows Update Assistant, and other programmes.

One of the critical bugs addressed in latest batch of updates includes a remote code execution (RCE) flaw in Windows Remote Desktop Client, which can be exploited by attackers when a user connects to a malicious server.

Indexed as CVE-2019-1333, this flaw particularly involves the client machines that connect to servers through Remote Desktop Protocol (RDP).

To exploit the bug, an attacker first needs to compromise an RDP server with malicious code. After that, they must trick a client machine user to connect to the malicious server via DNS poisoning, social engineering or other methods.

If they succeed, attackers can remotely execute arbitrary code on a victim's machine to install malware, view and modify data, and also set up new user accounts with full rights.

Fortunately, this RDP bug is not as dangerous as the wormable BlueKeep bug disclosed by Microsoft a few months ago.

Microsoft has also patched four critical memory corruption vulnerabilities (CVE-2019-1335, CVE-2019-1366, CVE-2019-1307, and CVE-2019-1308) in the Chakra Scripting Engine. These bugs surface when the scripting engine handles some specific objects in memory in Edge browser. The flaws may lead to RCE, allowing hackers to install programmes, modify sensitive data or create privileged user accounts.

Microsoft has also fixed two critical VBScript RCE flaws (CVE-2019-1238 and CVE-2019-1239) in its Internet Explorer web browser.

The remaining two critical bugs patched by Microsoft are: an RCE bug in the Azure App Service (CVE-2019-1372), and an RCE in MSXML parser of XML Score Services (CVE-2019-1060).

Unlike its August and September Patch Tuesday updates, there are no zero-day vulnerabilities in October security update.

According to Microsoft, it has no reports so far of any of these vulnerabilities being exploited in the wild.