This month's Patch Tuesday is mainly notable in that there isn't a whole lot to note, which is a change of pace. No 0-days, no vulnerabilities that had been publicly disclosed already, and nothing that could allow worms to proliferate. And nothing from Adobe. Of course, that doesn't mean there's nothing to do: Microsoft still published 59 CVEs today. And in case you missed it, Microsoft released an out-of-band fix for Internet Explorer (IE) two weeks ago for a Remote Code Execution (RCE) vulnerability seen exploited in the wild (CVE-2019-1367).
The majority of vulnerabilities patched by Microsoft this month affect their core Windows product, including two Remote Desktop Protocol (RDP) vulnerabilities. CVE-2019-1333 allows RCE against clients that can be convinced to connect to a malicious server, and CVE-2019-1326 is a denial of service vulnerability that could be used to cause an RDP server to stop responding. Both affect all supported versions of Windows.
As usual, there are also fixes for Microsoft's browsers. CVE-2019-1238 is an RCE vulnerability in the VBScript engine, which affects IE as well as any component that hosts the IE rendering engine – for example, an ActiveX control in an Office document. A couple of vulnerabilities in Excel were also patched: patch tuesday october
