October 9, 2019

On Tuesday Microsoft issued software updates to fix almost five dozen security problems in Windows and software designed to run on top of it. By most accounts, it’s a relatively light patch batch this month. Here’s a look at the highlights.

Happily, only about 15 percent of the bugs patched this week earned Microsoft’s most dire “critical” rating. Microsoft labels flaws critical when they could be exploited by miscreants or malware to seize control over a vulnerable system without any help from the user.

Also, Adobe has kindly granted us another month’s respite from patching security holes in its Flash Player browser plugin.

Included in this month’s roundup is something Microsoft actually first started shipping in the third week of September, when it released an emergency update to fix a critical Internet Explorer zero-day flaw (CVE-2019-1367) that was being exploited in the wild.

That out-of-band security update for IE caused printer errors for many Microsoft users whose computers applied the emergency update early on, according to Windows update expert Woody Leonhard. Apparently, the fix available through this month’s roundup addresses those issues.

Security firm Ivanti notes that the patch for the IE zero day flaw was released prior to today for Windows 10 through cumulative updates, but that an IE rollup for any pre-Windows 10 systems needs to be manually downloaded and installed.

Once again, Microsoft is fixing dangerous bugs in its Remote Desktop Client, the Windows feature that lets a user interact with a remote desktop as if they were sitting in front of the other PC. On the bright side, this critical bug can only be exploited by tricking a user into connecting to a malicious Remote Desktop server — not exactly the most likely attack scenario.

Other notable vulnerabilities addressed this month include a pair of critical security holes in Microsoft Excel versions 2010-2019 for Mac and Windows, as well as Office 365. These flaws would allow an attacker to install malware just by getting a user to open a booby-trapped Office file.

Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. To get there, click the Windows key on your keyboard and type “windows update” into the box that pops up.

Staying up-to-date on Windows patches is good. Updating only after you’ve backed up your important data and files is even better. A reliable backup means you’re not pulling your hair out if the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches.

As always, if you experience any problems installing any of the patches this month, please feel free to leave a comment about it below; there’s a decent chance other readers have experienced the same and may even chime in here with some helpful tips.


42 thoughts on “Patch Tuesday Lowdown, October 2019 Edition

  1. AJ North

    Hello Brian,

    Actually, Adobe have updated their Flash Player for all platforms to version 32.0.0.270 (though as of this post, their latest security bulletin has not yet been released, so it is not known whether this is security-related).

    Regards,

    AJN

  2. Alex

    Hi Brian,
    as i heard Adobe will be providing on the sites till 2020, then all the Flash sites are not more supported. During this time changes should be made to all websites. I also changed my site during this time. Hope you solve also the issue with flash
    Regards,
    Alex

    1. Jamison

      You did read this part right? “…you may be at risk of potential claims of infringement by third parties.”

      1. Readership1

        I did. It’s legalese for “we are so motivated to screw you over that we will provide a list of past customers to anyone who sues us, unless you agree to buy the new version.”

        It’s an empty threat without redeeming principle.

  3. The Sunsine State

    Windows 10 version 1803 reaches end of servicing next month for Home and Pro editions.

  4. Max

    Hello Brian,
    I just that, they fixed the issue this time with the excel for Mac, especially when you are writing in foreign language, where some letter werent recognized from the system. Especially when you wanna transfer the TXT from Excel to another program. Now they fixed the issue and im really glad about this news.
    Keep updating us with such great info.
    Best regards from,
    Max

  5. Deb Tasker

    Stupid update took 3 hrs. Never again.
    2am before i could use my laptop.

  6. Horlech

    Decreasing the patch KB codes kb452>### in latest times what happen with micto$oft

  7. John Pavon

    It would be helpful if these patches were made available to you so you could provide a link to down load or a link to access the correct download.

  8. Arbee

    Win 7 January 2020 end-of-life: When KB4524157 was offered last week, I sniffed around the interwebs to learn what was going on. Unrelated to the update, my search turned up

    “Microsoft now says it will offer patches for the aging OS through early 2023 to any business that’s willing to pay up.”
    https://www.computerworld.com/article/3442757/post-retirement-windows-7-patches-not-just-for-the-big-dogs-now.html

    Read the article for details. Some critical information apparently isn’t yet known. Like: pricing.

    For those of us who’d like to continue using Win 7, there may be a stay of execution if not a reprieve.

    1. Island Computers

      Yeah but isn’t it only available for enterprise and business customers with a free of US$200 per license? Smells like blackmail to me.

  9. KFritz

    The searchline for the Microsoft Update Catalog is as buggy as cow flop on a hot day. For months “security only 2019” produced the latest updates at the top of the list. This month the query needed to read “security only updates 2019” to produce the desired result. There must cubicles in Redmond with a dedicated gremlin population.

  10. Al

    Does the patch say “do not turn off your computer”? I am in an area in California where PG&E could turn off the power at any moment.

    1. Island Computers

      I’d definitely recommend you buy a UPS (battery backup) then. Ateast that way you can give yourself 15 or so minutes to turn everything off manually if the power stays out. They’re relatively cheap and can power a lot of stuff. They are especially helpful if you get a lot of brown outs (momentary interruptions in the power supply) as these more commonly damage electrical products than the rare powder surges.

  11. KVO

    Hi Brian,

    I’d like your opinion on the recent Volusion breach. I read about it in Kim Kommando’s security email which referenced an article on ZDNET. I searched the referenced database (for sites I had recently shopped on) and I saw a lot of BIG website names in there, much bigger than Sesame Street. Supposedly the Volusion site is still compromised and is still pushing the malicious Magecart code to clients. KK recommends calling the bank, doing a fraud alert, and I assume getting new card numbers? I already have the big 3 frozen and I don’t use debit cards. Assuming I get new card numbers what’s to stop the new numbers from being leaked again? I do a lot of online shopping and stuff on Kickstarter. I couldn’t
    ascertain when this breach started but it sounds like it’s pretty bad.

    Thanks!

  12. Mike Pinkston

    1903 has been terrible. Right now 4524147 and 4517389 are causing all kinds of issues with Edge and with the Start menu.

    Printing problems before that. Very frustrating.

    1. SANDY RITCHIE

      I am having major issues with my computers after this update automatically installed last night!!!!! 2 of my printers wont print and one computer won’t even boot up, keeps going to System Repair menu!!!!!!!!!

      1. Daniel Hellstrand

        Same with our organisation. We have 2500 windows 7 machines running and after this last update we have atleast 4 machines which go into repair mode and will not get out of it. Anyone have a clue which patch is causing this ?

        1. larry smith

          Same here. Win 7 laptop goes into system repair instead of booting, comes up with a restore point then can’t restore due to some error. now it wont even power up at all. shuts off as soon as i turn it on.

  13. Scarlet Costello

    I have auto updates turned on and have had no problems until this update. Now my computer can’t find any printers. Which update should I uninstall? I really need to be able to print as I use this computer for work.

    1. Mike Pinkston

      Removing the two KB articles in my post will fix the printing problems.

      1. Scarlet Costello

        Thanks. It worked. I’m back to printing again!

  14. Diane Trefethen

    Both Microsoft and Intuit started out with a great idea that would help tons of people and that would make them millions of dollars. So that was their business model. But behind the scenes, the giants of business education, Yale and Harvard, were drilling their students with a more ambitious model. Make a product that tons of people would think was for their benefit and then make unlimited billions of dollars by altering that product enough to trick customers into continuing to buy it even if it wasn’t any better than the old version(s).

    As the years went by, the shiny new Yale and Harvard business grads at Intuit were the first to figure out a really neat way to implement the new model. Institute this 2-phase plan. 1) Introduce a new “version” that had some new bells and whistles but lace the guts with annoying bugs. 2) Provide a year or two of free “updates”, also bug-laden. Then replace the whole mess with a NEW “version” that you could charge for, one still full of bugs of course. Rinse and repeat. Eventually Quicken became so frustrating that customers started dropping it in droves. So Intuit unloaded it to some bank. But hey, they made their billions.

    If all this sounds familiar to Win10 users, the only difference between Microsoft and Intuit is the reason they don’t care when they destroy their products. Intuit didn’t care because it had already milked Quicken dry. Microsoft doesn’t care because it thinks it is too big for anyone to do anything about it.

    Can you spell Linux?

    1. Arbee

      Thanks for your comment.

      For years (you can do the arithmetic) I’ve been using the version of Quicken 98 that was certified to be Y2K-compliant. For business, I used a similarly antediluvian version of QuickBooks. I have no complaints about either. It seemed to me that newer versions offered me no benefits. Specific to Krebs on Security, I use neither of these products on line. IMHO, notional internet access with either of these products is so — quaint — as to present minimal security risks.

      This violates Krebs’s Rule #2 for Staying Safe Online: “If you installed it, update it.” I’d add an asterisk to Rule #2: *Sometimes, “newer” isn’t “better” or “safer”; but consider the decision to not update carefully. This asterisk underpins the “Patch Tuesday” series.

      And yes, I can spell “Linux”. Anticipating Windows 7’s demise (if not in January 2020, it’ll happen eventually), one of the machines I wrangle is a sacrificial netbook on which I’m experimenting: dual-booting the aforementioned W-7 along with Ubuntu. I chose a netbook because I anticipated infelicities with both the BIOS and peripherals. Thus far, the process has lived down to expectations.

      1. jay

        The only reason I went to Qbooks 2013 from 2005 was the recommendation from my CPA because he thought I’d need the payroll function.

        I have a client who uses the cloud version, I’d never trust my data that way.

    2. Readership1

      ^^^

      I’ve got some far out ideas, but this one is too crazy for me.

  15. Mitch

    Brian, what are you going to report on when all the bugs and holes have been patched, all the criminal hackers arrested, the internet providers actually validate and block IP’s that should not originate from them and the SPAM industry is bankrupt? Fashion industry?

    Ha! It’s Friday, I couldn’t resist!

  16. Tanya

    I stumbled onto this site after searching for “multiple problems after windows update October 10 2019”.

    Here is a list of things happening on my Lenovo Ideapad Y700:
    – Constant BSOD. No memory.dmp or minidump files left behind. It happens too fast for me to see what the complaint is on the BSOD.
    – Right-clicking on items in the taskbar does not open the usual menu.
    – After I went to a friend’s house and tried to connect to WiFi, the network icon showed no networks available. I was finally able to get around this by setting up a connection to the network manually. Even after the connection was established, a left-click on the network icon in the taskbar has no effect (the usual list of available networks still does not appear).

    Has anyone else had any of these problems? I’m really hoping that MS is aware of all this trouble and has an update on the way, because I don’t really want to have to reinstall the OS…

    These are the 3 updates installed :
    KB4517389, KB4515871, KB4521863

    I uninstalled the first one, but then Windows apparently reinstalled it, so I took a break.

    Any advice?

    1. cobrickman

      “These are the 3 updates installed : KB4517389, KB4515871, KB4521863”

      I have a customer that has had 4 laptops lose the ability to connect to the network. They are all remote workers this this has been very disruptive. I am trying to narrow down which patch is the culprit. It has hit 1803, 1809, and 1903 versions of Windows 10 Pro.

    2. Loki

      I’m still on Windows 7 x64 and after installing the latest updates, including kb4519976, the Wi-Fi connection I use works, but the network icon in the system tray is the greyed out wifi bars with the gold/yellow star in front of it. This icon usually shows when networks are available but aren’t connected. However, mine is connected, but the icon status remains the same. I always look at that icon to see if I’m connected or not, now I have to click it and see if the connection is actually live or not. It has to be due to the updates because I made a new Win7 image with latest updates and it does this on a fresh install as well. Tried uninstalling drivers, removing the connection in the wizard, etc. The icon never show bar status anymore.

  17. devorah

    kb4517389 a lot of problems, crash system, bsod and freezes hang ups

  18. Paul Farley

    Oct 2019 cumulative update erases all files in My Documents. Also every reboot it says “Windows” and proceeds to erase all browser settings and credentials in Chrome. Do Not install until MS fixes the bugs.

  19. rich

    I’ve messed around with Windows since the DOS days and unfortunately have to use it at work. Also because a lot of hacking/security is done with Windows I have a system at home running Windows 10 but I dread using it.

    I did notice it had crashed which I thought strange but apparently an update was pushed and that may have caused it? At least based on the responses here. Eventually I had to do a hard power down and then after “fixing” the drive, it booted.

    Companies could save a colossal amount of money by moving to Apple computers. I got my first one back in 2007, a laptop, then a 27″ iMac in 2008 (still works fine) and a new 27″ iMac in 2018. I can’t recall one crashing on me. Excel locks up occasionally on a large spreadsheet but the stability is great. Sure they do some things I don’t care for but money well worth spending.

    And yeah I do a lot of Linux stuff as well but I don’t see that working well for the non-techie people.

    I’m not a Microsoft hater but when you compare the products the reliability difference is striking.

    1. PattiM

      We saw this exactly with detroit automobiles. Msft is about making money, not a product.

  20. MS

    Just did the update and it keeps disconnecting me from the Internet. I’m assuming I have to re-install the network adapters, AGAIN?

  21. Eric

    For my main pc laptop which I carry from site to site it’s Windows 8.1 Pro. The drive sled in my Toughbook is removable and I have a second ssd with 10 pro however this is for support only, not production use. For now Microsoft seems focused on Windows 10 and leaves 8.1 pretty much alone. More control over security updates, no silly games, no pesky “feature upbreaks” characteristic of 10.

    As to Mac OS X, I’m troubleshooting an issue with OSX Catalina wherein we get intermittent connectivity to a Windows file share. It seems a green mac user updated their Macbook too soon.

    http://osxdaily.com/2019/10/09/troubleshooting-macos-catalina-problems/

    I’m not sure Apple is the answer, this comes from a company that increasingly is taking away the right to repair your own device, search for ‘repair’ on vice.com. It’s bad enough you need a heat gun to open up a glued together iMac to replace a hard drive. I’d post a link, but the Vice website is having an internal server error.

    Anyone notice with these cloud services are we transitioning back to the “Mainframe” days? When the mainframe breaks, your company shuts down, unless you got a local copy of your data.

Comments are closed.