November 2019 Patch Tuesday arrives – along with Win10 version 1909

The patches are out. There are 116 new individual patches in the Update Catalog covering 74 separately identified security holes (CVEs).

Worthy of note is the Win10 1903 cumulative update Knowledge Base article KB 4524570:

To reflect this change, the release notes for Windows 10, version 1903 and Windows 10, version 1909 will share an update history page. Each release page will contain a list of addressed issues for both 1903 and 1909 versions. Note that the 1909 version will always contain the fixes for 1903; however, 1903 will not contain the fixes for 1909. This page will provide you with the build numbers for both 1909 and 1903 versions so that it will be easier for support to assist you if you encounter issues.

That’s a significant question answered! Sure enough, the KB article has two pull-down sections, one for 1903 and one for 1909. Looks like the 1909 flavor only has the same patches as the 1903 version.

I can confirm that KB 4524570 installed on my Win10 1909 test machine (which is not in the Insider program). Build 18363.476. Nothing has gone kablooey.

There’s a new post on the Insider Blog that tells you how to get Win10 version 1909. Basically, follow all of the steps in How to block the Windows 10 November 2019 Update, version 1909, from installing, but at the end click Download and install now. That’s good news.

Martin Brinkmann on ghacks.net posted the salient details:

• Win7: 35 security holes
• Win8.1: 37 security holes
• Win10: 46 vulnerabilities

And, of course, this is the last planned cumulative update for Win10 version 1803.

There are links on ghacks.net to all of the downloads and KB articles, as well as an Excel overview.

Dustin Childs has his usual rundown for the Zero Day Initiative. Of particular concern is yet another “exploited” hole in Internet Explorer:

 CVE-2019-1429 – Scripting Engine Memory Corruption Vulnerability Reported through the Google Threat Analysis Group, this patch for IE corrects a vulnerability in the way that the scripting engine handles objects in memory. This vague description for memory corruption means that an attacker can execute their code if an affected browser visits a malicious web page or opens a specially crafted Office document. That second vector means you need this patch even if you don’t use IE. Microsoft gives no information on the nature of the active attacks, but they are likely limited at this time.

At least we aren’t seeing another round of chicken-with-its-head-cut-off multiple out-of-band patches for an obscure in the wild exploit, like we did last month. I’ll keep an eye on it and let you know if it starts causing problems for anyone other than nuclear research firms and missile launch systems.

@PKCano advises that there are new SSUs on the hoof:

KB 4523206 for Win7
KB 4524445 for Win8.1