The updates provided in October fix a total of 59 vulnerabilities. These include nine vulnerabilities that Microsoft classified as critical. These affect Windows, the browser Edge and the Internet Explorer and the Azure App Service.

Microsoft classifies most of the remaining vulnerabilities as high risk, one as moderately dangerous. Details on these vulnerabilities can be found on the Security Update Guide.

Internet Explorer

The new Cumulative Security Update (4519974) for Internet Explorer resolves five vulnerabilities in the browser. Two vulnerabilities are classified as critical. Two other vulnerabilities are shared by IE with Edge. Also included in the package is an update for the update against the former 0-day gap CVE-2019-1367, which Microsoft had already fixed on September 23 with an update.

Edge

In the Edge browser Microsoft has fixed seven vulnerabilities, of which the manufacturer classifies four as critical. The scripting engine "Chakra" is in many cases the source of error, especially in all critical gaps. Chakra and Edge do not properly handle memory objects, allowing an attacker to inject code and execute them with user privileges. Microsoft now adds the Edge HTML-based attribute to the browser to distinguish it from the future Chromium-based variant. Edge (Chromium) is already available as a pre-release version.

Office

For its Office family Microsoft delivers updates for six security vulnerabilities. Microsoft does not classify any of these gaps as critical. Two Excel vulnerabilities (CVE-2019-1327, CVE-2019-1331) allow an attacker to inject code with crafted documents, but are only considered critical. In addition to Excel 2010 and newer, they also affect Office 365 Plus as well as Office 2016 and 2019 for Mac.

Windows

The majority of vulnerabilities, 37 vulnerabilities overall, are spread over the various versions of Windows for which Microsoft still offers security updates. Microsoft classifies two of these vulnerabilities as critical. One of these vulnerabilities (CVE-2019-1333) affects the Remote Desktop Client of all versions of Windows.

The second critical vulnerability (CVE-2019-1372) lies in Azure App Service. It can be used to allow a user unprivileged Sandbox Escape feature to execute code with system privileges. The reason for this is that the service does not check the size of a buffer before it writes in memory contents - a classic buffer overflow.

Several vulnerabilities have Microsoft in the Windows Update Client as well as in the error reporting fixed. There are two vulnerabilities in the Jet database engine included in Windows that allow you to run injected code. The Internet Information Services (IIS) web server is getting an update because it has a gap similar to the Azure App Service described above.