Patch Tuesday, November 2019 Edition

Microsoft today released updates to plug security holes in its software, including patches to fix at least 74 weaknesses in various flavors of Windows and programs that run on top of it. The November updates include patches for a zero-day flaw in Internet Explorer that is currently being exploited in the wild, as well as a sneaky bug in certain versions of Office for Mac that bypasses security protections and was detailed publicly prior to today’s patches.

More than a dozen of the flaws tackled in this month’s release are rated “critical,” meaning they involve weaknesses that could be exploited to install malware without any action on the part of the user, except for perhaps browsing to a hacked or malicious Web site or opening a booby-trapped file attachment.

Perhaps the most concerning of those critical holes is a zero-day flaw in Internet Exploder Explorer (CVE-2019-1429) that has already seen active exploitation. Today’s updates also address two other critical vulnerabilities in the same Windows component that handles various scripting languages.

Microsoft also fixed a flaw in Microsoft Office for Mac (CVE-2019-1457) that could allow attackers to bypass security protections in some versions of the program that could let malicious macros through.

Macros are bits of computer code that can be embedded into Office files, and malicious macros are frequently used by malware purveyors to compromise Windows systems. Usually, this takes the form of a prompt urging the user to “enable macros” once they’ve opened a booby-trapped Office document delivered via email. Thus, Office has a feature called “disable all macros without notification.”

But Microsoft says all versions of Office still support an older type of macros that do not respect this setting, and can be used as a vector for pushing malware. Will Dornan of CERT/CC reports that while Office 2016 and 2019 for Mac will still prompt the user before executing these older macro types, Office for Mac 2011 fails to warn users before opening them.

Other Windows applications or components receiving patches for critical flaws today include Microsoft Exchange and Windows Media Player. In addition, Microsoft also patched nine vulnerabilities — five of them critical — in the Windows Hyper-V, an add-on to the Windows Server OS (and Windows 10 Pro) that allows users to create and run virtual machines (other “guest” operating systems) from within Windows.

Although Adobe typically issues patches for its Flash Player browser component on Patch Tuesday, this is the second month in a row that Adobe has not released any security updates for Flash. However, Adobe today did push security fixes for a variety of its creative software suites, including Animate, Illustrator, Media Encoder and Bridge. Also, I neglected to note last month that Adobe released a critical update for Acrobat/Reader that addressed at least 67 bugs, so if you’ve got either of these products installed, please be sure they’re patched and up to date.

Finally, Google recently fixed a zero-day flaw in its Chrome Web browser (CVE-2019-13720). If you use Chrome and see an upward-facing arrow to the right of the address bar, you have an update pending; fully closing and restarting the browser should install any available updates.

Now seems like a good time to remind all you Windows 7 end users that Microsoft will cease shipping security updates after January 2020 (this end-of-life also affects Windows Server 2008 and 2008 R2). While businesses and other volume-license purchasers will have the option to pay for further fixes after that point, all other Windows 7 users who want to stick with Windows will need to consider migrating to Windows 10 soon.

Standard heads-up: Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. To get there, click the Windows key on your keyboard and type “windows update” into the box that pops up.

Keep in mind that while staying up-to-date on Windows patches is a good idea, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re probably not freaking out when the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches.

As ever, if you experience glitches or problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a decent chance other readers have experienced the same and may even chime in here with some helpful tips.

Tags: adobe, CVE-2019-1429, CVE-2019-1457, Internet Explorer zero-day, macros, microsoft, Office for Mac, Windows 7 end-of-life

This entry was posted on Tuesday, November 12th, 2019 at 5:04 pm and is filed under Time to Patch. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.


  • No Related Posts

Hypervisor Security Update

Hotfixes have been released to address these issues. Citrix recommends that affected customers install these hotfixes as their patching schedules allow. The hotfixes can be downloaded from the following locations:

Citrix Hypervisor 8.0:

CTX262555 –

CTX258428 –

Citrix XenServer 7.6:

CTX262554 –

CTX258425 –

Citrix XenServer 7.1 LTSR CU2:

CTX262553 –

CTX258424 –

Citrix XenServer 7.0:

CTX258417 –

CTX258423 –


Update Task Disabled

I need a solution

If there’s a problem in Windows that’s preventing a patch from installing, once the source of the problem is resolved, should the agent retry deployment at my preset patch times?  There was a cryptography issue with installing KB4489885 that affected a few of our desktops so checking on whether I need to take any kind of action in my SMC.



  • No Related Posts

Vulnerabilities Tool Seems Very Off

I do not need a solution (just sharing information)

I think it’s looking only for specific windows patches as resolution for vulnerabilities, particularly on our Server 2012 machine, which has gotten a lot of rollup patches.  Windows Update tells me we are current but the CWP tool is tell me we have a number of vulnerabilities.  There is just too much noise here to be useful.  It would also be fantastic if you could triage them in some way in the tool and either assign them to users or mark them as handled in some way.  Otherwise it all has to come out of the tool.



Updated Advisory: Sophos Central Maintenance previously scheduled for Saturday June 15th, 2019 has been postponed

6/14/19 update: The scheduled maintenance referenced in this article has been postponed and will not take place this Saturday. We will update this Article when this maintenance has been rescheduled.

Original advisory:

Sophos Central Engineering will be performing routine maintenance to Sophos Central on Saturday June 15th, 2019 starting at 13:00 (UTC). Expected time to complete maintenance is five hours.

  • There will be no disruption to protected endpoints during this time period.
  • This KBA and Sophos StatusCast page will reflect status of maintenance once started as in progress and then when it is completed

Applies to the following Sophos products and versions

Sophos Central Enterprise Dashboard

Sophos Central Partner

Sophos Central Admin

Customers will see a banner show up in their Central Admin Dashboard indicating there is maintenance occurring and will be displayed throughout the maintenance period.

While we do not anticipate any interruption or degradation of service during the maintenance update, in some instances a customer may experience the following:

  • May be auto logged out of Central portal
  • New endpoint installations may take longer to complete.
  • May experience temporary latency within Central UI portals.
  • May experience a delay in policy rendering.

Should the above occur, please try again shortly and or once the Central maintenance has completed.

Upon the conclusion of the maintenance, the maintenance banner within the UI will be removed and the “What’s New” section in Sophos Central will be updated accordingly.

Sign up for the Sophos Support SMS Notification Service to get the latest product release information and critical issues.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.


Responder policy is processed before AAA feature, after the ADC firmware version upgrade to 12.1 build 51.19.

It affects policies that have a rule expression such as ‘true’. Ideally, using a policy rule that bypasses pre-login traffic would resolve the issue.

For example,

Add responder policy aaa_unauth_responder_policy SYS.ERROR.CATEGORY.EQ(AAA_LOGIN_REDIRECT).NOT <action-name>

The above is a workaround for this behaviour. However, in ADC Version 12.1 Build 52.x, this is handled natively such that customers need not configure workaround.


  • No Related Posts

Deployment and Patch Don’t Always Play Well Together

I need a solution

I’m running 8.5 RU2 with persistent connection, and I love how real time many things are.

I have noticed, though, if I’m deploying an image with many software installs that install as post image tasks, often patch will begin installing titles and this creates a conflict causing my software installs to fail.

For example, we have a technology lab with several adobe titles, several autocad titles, etc.  It can take these image jobs 80+ minutes to complete.

The agent should somehow be smart enough to not allow these install conflicts to happen.  Please don’t suggest I start building fat images building the titles into the image, that’s just bad practice.  If I need to update Photoshop on 3 labs, I don’t want to rebuild 3 images, I just want to update 1 post image task used in the 3 lab imaging jobs.

For now, I’m just disabling all my patch policies when we image those lab machines, but that’s not ideal and a little bit of a security risk as someone needs to re-enable them.

I don’t want to not put the patch plugin on the base image because as soon as it attempts to install, it kills the agent mid whatever it’s doing.  I thought about having a dummy file placed at end of image time and then scope the patch plugin to only install on computers with that dummy file, but again I think this would also a timing issue because existing machines in the console being reimaged would fall into the filter and attempt to install the agent as soon as they come up.

Thoughts?  I am sure I posted this issue before, and I looked through my post history, but couldn’t find it, so I apologize if I’m repeating myself to some.

I’ll put a ticket in as well.



  • No Related Posts