View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 9, 2019

Microsoft Drops Another SSU: “Sweeping Changes” Coming?

Don't forget to back-up first!

By CBR Staff Writer

Microsoft has pushed out yet another servicing stack update (SSU): code upgrades that in turn allow smooth security updates on Windows systems, and which are critical to effective patch management; businesses need to pay attention.

Most major Windows desktop and server variants — bar Windows Server 2008 and Windows 7/Server 2008 R2 — are affected. (See table below).

servicing stack update

As of November 2018 new servicing stack updates are classified as “security” with a severity rating of “critical.”

Microsoft Servicing Stack Update: Sweeping Changes Coming

SSUs are distinct from Microsoft’s regular cumulative and security updates.

They are updates to the Microsoft code that installs operating system updates.

Without SSUs installed, there’s a chance machines have not installed recent patches, and aren’t accurately reporting OS patch status.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

Chris Goettl, Director of Security Solutions at Ivanti, said in an emailed comment: “Microsoft usually releases the SSU at least a couple months before the changes will be fully in effect. The shortest we have observed an SSU release to being required for future updates has been two months.

“Considering Microsoft just released a full set of SSUs for all Windows OSs in September, there are some sweeping changes coming down the road.”

See also: Microsoft Quietly Fixes CPU Slurping Bug 

He added: “We recommend setting aside some time to get these SSUs tested and prepare to start rolling them out, but approach with caution as all but two just received another update. We have seen cases where multiple SSUs were acceptable to move forward, but the October set could also completely supersede the September SSUs when Microsoft enforces them as a pre-requisite. Clear as MUD!”

The notice came after a comparatively light “Patch Tuesday”, with Microsoft pushing out 60 CVEs; nine of which were critical and 51 rated important. None of the CVEs have publicly available exploits or been exploited in the wild.

Critical CVEs were as follows:

  • VBScript Remote Code Execution Vulnerability – CVE-2019-1060, CVE-2019-1238, CVE-2019-1239 (Remote Code Execution)
  • Chakra Scripting Engine Memory Corruption Vulnerability – CVE-2019-1307, CVE-2019-1308, CVE-2019-1335, CVE-2019-1366 (Remote Code Execution)
  • Remote Desktop Client Remote Code Execution Vulnerability – CVE-2019-1333 (Remote Code Execution)
  • Azure App Service Elevation of Privilege Vulnerability – CVE-2019-1372 (Elevation of Privilege)

Security firm Trustwave noted: “On the ‘important’ list, there are [also] 20 CVEs that could allow an elevation of privileges for Microsoft products.

“This should be sufficient reason to update ASAP since affected products include the Windows platform, Microsoft IIS Server and SharePoint.”

Microsoft also patched two privilege escalation vulnerabilities that have been exploited in the wild. CVE-2019-1214 is a vulnerability in the Common Log File System (CLFS) driver, and CVE-2019-1215 applies to the Winsock driver.

Trustwave noted: “These impact all supported versions of Windows, and patching should be prioritised.”

Happy patching! (Don’t forget to back-up…) 

Read this: APT Actors Hitting UK Organisations via Trio of VPN Vulnerabilities: NCSC

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU