Microsoft has pushed out yet another servicing stack update (SSU): code upgrades that in turn allow smooth security updates on Windows systems, and which are critical to effective patch management; businesses need to pay attention.
Most major Windows desktop and server variants — bar Windows Server 2008 and Windows 7/Server 2008 R2 — are affected. (See table below).
As of November 2018 new servicing stack updates are classified as “security” with a severity rating of “critical.”
Microsoft Servicing Stack Update: Sweeping Changes Coming
SSUs are distinct from Microsoft’s regular cumulative and security updates.
They are updates to the Microsoft code that installs operating system updates.
Without SSUs installed, there’s a chance machines have not installed recent patches, and aren’t accurately reporting OS patch status.
Chris Goettl, Director of Security Solutions at Ivanti, said in an emailed comment: “Microsoft usually releases the SSU at least a couple months before the changes will be fully in effect. The shortest we have observed an SSU release to being required for future updates has been two months.
“Considering Microsoft just released a full set of SSUs for all Windows OSs in September, there are some sweeping changes coming down the road.”
He added: “We recommend setting aside some time to get these SSUs tested and prepare to start rolling them out, but approach with caution as all but two just received another update. We have seen cases where multiple SSUs were acceptable to move forward, but the October set could also completely supersede the September SSUs when Microsoft enforces them as a pre-requisite. Clear as MUD!”
The notice came after a comparatively light “Patch Tuesday”, with Microsoft pushing out 60 CVEs; nine of which were critical and 51 rated important. None of the CVEs have publicly available exploits or been exploited in the wild.
Critical CVEs were as follows:
- VBScript Remote Code Execution Vulnerability – CVE-2019-1060, CVE-2019-1238, CVE-2019-1239 (Remote Code Execution)
- Chakra Scripting Engine Memory Corruption Vulnerability – CVE-2019-1307, CVE-2019-1308, CVE-2019-1335, CVE-2019-1366 (Remote Code Execution)
- Remote Desktop Client Remote Code Execution Vulnerability – CVE-2019-1333 (Remote Code Execution)
- Azure App Service Elevation of Privilege Vulnerability – CVE-2019-1372 (Elevation of Privilege)
Security firm Trustwave noted: “On the ‘important’ list, there are [also] 20 CVEs that could allow an elevation of privileges for Microsoft products.
“This should be sufficient reason to update ASAP since affected products include the Windows platform, Microsoft IIS Server and SharePoint.”
Microsoft also patched two privilege escalation vulnerabilities that have been exploited in the wild. CVE-2019-1214 is a vulnerability in the Common Log File System (CLFS) driver, and CVE-2019-1215 applies to the Winsock driver.
Trustwave noted: “These impact all supported versions of Windows, and patching should be prioritised.”
Happy patching! (Don’t forget to back-up…)