November 2018  – Microsoft Patch Tuesday 

As we head into November, many of us in the U.S. are getting our first taste this year of colder weather. Even here in Texas, temperatures dropped slightly below freezing last night. But cold or hot, rain or shine (or snow), the security update show must go on.

 

The big news (for some) this month is that Microsoft is re-releasing the Windows 10 October major feature update (v1809) and Server 2019. These were pulled last month after some users had the unpleasant experience of finding that all the data in their Documents, Pictures, Videos, and Music folders had been wiped out. More about that below.

 

The November updates include security fixes for the “usual suspects” – Internet Explorer, Microsoft Edge, Microsoft Windows client and server operating systems, Microsoft Office and Microsoft Office Services and Web Apps, ChakraCore, .NET Core – as well as updates for Skype for Business, Azure App Service on Azure Stack, Team Foundation Server, and Microsoft Dynamics 365 (on-premises) version 8.

 

As always, the Malicious Software Removal Tool (MSRT) is updated to include the latest malware definitions.

Security Advisories

The following security advisories were released on Patch Tuesday this month:

  • ADV180025 November 2018 Adobe Flash Security Update. This advisory refers to the vulnerability described in Adobe’s Security Bulletin APSB18-39 and the update released to address CVE-2018-15978.
  • ADV990001 Latest Servicing Stack Updates. This advisory lists the latest servicing stack updates for each Windows operating system.

Operating system, OS components, and web browser updates

Depending on the version, from thirteen to eighteen vulnerabilities are patched in Windows this month. Two of the patched vulnerabilities are rated critical and the rest are important.  In Windows Server, thirteen to nineteen security issues are addressed (again, depending on version). There are three critical vulnerabilities among these, with the rest classified as important.

  • Windows 10 October Feature Update (1809). This update contains a number of security features, bug fixes, and performance enhancements, along with new features that include a new version of the snipping tool called Snip and Sketch, changes to search, a way to make text bigger, battery information for Bluetooth devices, some improvements to Magnifier, and one of my favorites: a built-in clipboard manager (although whether it will replace my beloved Clipboard Fusion remains to be seen). Another that I like is the new version of the Your Phone app for Android that lets you sync your text messages and view phone photos on your PC. Best of all (for some), the update to Edge enables you to stop web pages from automatically playing those annoying videos.


If you still don’t trust this update and want to delay installation, admins can do so using Group Policy, and individuals can configure Settings | Advanced Options to temporarily pause updates and/or defer feature updates. Note that this applies to Windows 10 Pro and Enterprise editions. To delay updates to Windows Home machines, you’ll need to edit the Registry.

  • Windows 10 version 1809 security update KB4467708. If you had already installed the October update, this is a security update for it that provides protections against a speculative execution side-channel vulnerability, addresses an issue a sign-in issue, fixes a file system access to IoT issue, fixes an issue with the onscreen keyboard, and patches security vulnerabilities in Edge, Windows Scripting, Internet Explorer, Windows App Platform and Frameworks, Windows Graphics, Windows Media, Windows Kernel, Windows Server, and Windows Wireless Networking.
  • Windows 10 version 1809 Servicing Stack update KB4465664. This addresses a vulnerability in BitLocker.
  • Windows 10 version 1809 security update KB4470646. This fixes an elevation of privilege vulnerability.

The following security updates apply to previous versions of Windows 10:

  • Windows 10 version 1803 – KB4467702 and KB4465663
  • Windows 10 version 1709 – KB4467686 and KB4465661
  • Windows 10 version 1703 – KB4467696 and KB4465660
  • Windows 10 version 1607 – KB4467691 and KB4465659

The following security updates apply to previous Windows operating systems:

  • Windows 8.1 KB4467697 — Monthly Rollup. Addresses high CPU usage and performance degradation with some AMD processors and includes security updates to Windows App Platform and Frameworks, Windows Graphics, Internet Explorer, Windows Wireless Networking, Windows Kernel, and Windows Server.
  • Windows 7 KB4467107 — Monthly Rollup. Includes security updates to Windows App Platform and Frameworks, Windows Graphics, Windows Wireless Networking, Windows Kernel, and Windows Server.
  • Security Monthly Quality Rollup for Windows Server 2008 KB4467706
  • Security Monthly Quality Rollup for Windows Embedded 8 Standard and Windows Server 2012 KB4467701

The following security updates apply to Windows web browsers:

  • Cumulative security update for Internet Explorer 11 KB4466536 – Addresses several reported vulnerabilities in Internet Explorer, the most severe of which vulnerabilities could allow remote code execution.

 

 

Microsoft Office updates

Microsoft released security and non-security updates for Office 2016, 2013, and 2010, as well as Excel Viewer, the Office Compatibility Pack SP3, the Office 2016 Language Interface Pack, SharePoint Server 2019, 2016, 2013, and 2010.

This month, there are 29 security updates and 16 non-security updates.

Other software/services

Security updates were also released on September 11 for the .NET Framework versions 3.5 through 4.7.2 running on Windows Client and Server operating systems and Windows Embedded. This security update resolves a vulnerability in Microsoft .NET Framework that could allow remote code execution when .NET Framework processes untrusted input. An attacker who successfully exploits this vulnerability in software by using .NET Framework could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts that have full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

Critical vulnerabilities

The following are some of the critical vulnerabilities addressed by this month’s updates:

  • CVE-2018-8476 | Windows Deployment Services TFTP Server Remote Code Execution Vulnerability. A remote code execution vulnerability exists in the way that Windows Deployment Services TFTP Server handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code with elevated permissions on a target system.
  • CVE-2018-8541, -8542, -8543, -8551, -8555, -8556, -8557, -8588 | Chakra Scripting Engine Memory Corruption Vulnerabilities. A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
  • CVE-2018-8544 | Windows VBScript Engine Remote Code Execution Vulnerability. A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
  • CVE-2018-8553 | Microsoft Graphics Components Remote Code Execution Vulnerability. A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system.
  • CVE-2018-8609 | Microsoft Dynamics 365 (on-premises) version 8 Remote Code Execution Vulnerability. A remote code execution vulnerability exists in Microsoft Dynamics 365 (on-premises) version 8 when the server fails to properly sanitize web requests to an affected Dynamics server. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SQL service account