October 2018  – Microsoft Patch Tuesday 

Each year seems to go by more quickly than the last, and here we are – already into the fourth and last quarter of this year that feels as if it just started.

Microsoft updates have already been in the news this month, and not in a good way. Of course we’re talking about the “October Surprise” – the Windows 10 major feature update released on October 2 (version 1809) that reportedly caused some folks to lose the data in their profile folders (Documents, Pictures, Videos, Music, Downloads) if they had it set up to sync with the OneDrive cloud storage service. Ouch. Microsoft “paused” the rollout of the update and asked people not to install it now.

 

This is a shame, because the fall update includes some great new capabilities that many of have been wanting, including clipboard history and sync across multiple devices, a new “snip and sketch” tool that will replace the venerable snipping tool, and an app for viewing your phone’s photos from your PC.  But for now, most will find it best to be prudent and wait for Microsoft to fix the problems before installing this update.

 

Meanwhile, today is Patch Tuesday and the regular slate of security updates has been released, so let’s focus on that. As usual, we have patches for all supported client and server operating systems: Windows 7, 8.1, and 10 and Server 2008 R2, 2012 R2, 2016, and newly released Server 2019. Both Microsoft web browsers also have vulnerabilities patched.

 

As always, the Malicious Software Removal Tool (MSRT) is updated to include the latest malware definitions.

 

Security Advisories

The following security advisory was released on Patch Tuesday this month:

  • ADV180026 Microsoft Office Defense in Depth Update. This is an update to various components of Microsoft Office 2010, 2013, 2016, and 2019, as well as Office 365 ProPlus.

Operating system, OS components, and web browser updates

In summary, we’re looking at 13 to 20 vulnerabilities in the Windows client, depending on the OS version. Windows 10 versions 1709 and 1803 have the largest number of vulnerabilities – 20 vulnerabilities each, with 3 of them rated critical in 1709 and 2 rated critical in 1803. 

The Windows Server operating systems have 14 to 19 vulnerabilities, with the two newest versions (2016 and 2019) having the most; both are getting patches for 19 vulnerabilies, 3 of which are rated critical.

Microsoft Edge has 9 vulnerabilities patched this time and 6 of those are critical. IE 11 comes in with under only 2 vulnerabilities, but both are rated critical.

The following updates to the Windows client and server operating systems were released on October 9:

 

  • KB4462923 — Windows 7 Service Pack 1 and Windows Server 2008 R2 Monthly Rollup. This security update includes improvements and fixes that were a part of update KB4457139 (released September 20, 2018) and addresses security updates to Windows Media Player, Windows Graphics, Microsoft Graphics Component, Windows Storage and Filesystems, Windows Kernel, and the Microsoft JET Database Engine.
  • KB4462926 — Windows 8.1 and Windows Server 2012 R2 Monthly Rollup. Security updates to Windows Media Player, Microsoft Graphics Component, Windows Datacenter Networking, Windows Storage and Filesystems, Windows Kernel, and Microsoft JET Database Engine.
  • KB4462919 — Windows 10, version 1803. Security updates to Internet Explorer, Windows Media Player, Microsoft Graphics Component, Windows Peripherals, Windows Shell, Windows Kernel, Windows Datacenter Networking, Windows Storage and Filesystems, Microsoft Edge, Microsoft Scripting Engine, Windows Linux, and the Microsoft JET Database Engine.
  • KB4462918 — Windows 10, version 1709. Security updates to Internet Explorer, Windows Media Player, Microsoft Graphics Component, Windows Shell, Windows Kernel, Windows Datacenter Networking, Windows Storage and Filesystems, Microsoft Scripting Engine, and the Microsoft JET Database Engine .
  • KB4462937 — Windows 10, version 1703. Security updates to Internet Explorer, Windows Media Player, Microsoft Graphics Component, Microsoft Edge, Windows Kernel, Windows Storage and Filesystems, and Microsoft Scripting Engine.
  • KB4462917 — Windows 10, version 1607 and Windows Server 2016. Security updates to Internet Explorer, Windows Media Player, Microsoft Graphics Component, Microsoft Edge, Windows Kernel, Windows Datacenter Networking, Microsoft Scripting Engine, Microsoft JET Database Engine, and Windows Storage and Filesystems.

If you have already updated to version 1809 despite the warnings, Microsoft has issued the following update for it:

  • Windows 10, version 1809. Security updates to Windows Kernel, Microsoft Graphics Component, Microsoft Scripting Engine, Internet Explorer, Windows Storage and Filesystems, Windows Linux, Windows Wireless Networking, Windows MSXML, the Microsoft JET Database Engine, Windows Peripherals, Microsoft Edge, Windows Media Player, and Internet Explorer.Also addresses an issue affecting group policy expiration where an incorrect timing calculation may prematurely remove profiles on devices subject to the “Delete user profiles older than a specified number of day.”

Microsoft also released the following Server-only update on October 9:

  • KB4463097 — Security Monthly Quality Rollup for Windows Server 2008. Addresses an issue in which all guest virtual machines running Unicast NLB fail to respond to NLB requests after the virtual machines restart and includes security updates Windows Media Player, Microsoft Office Graphics, Microsoft Graphics Component, Windows Storage and Filesystems, and the Microsoft JET Database Engine.

The following updates for the Microsoft web browsers were released on October 9:

  • KB4462949 — Cumulative security update for Internet Explorer. This security update resolves several reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage in Internet Explorer. To learn more about these vulnerabilities.
  • Updates to Microsoft Edge are included in the Windows 10 rollups.

Microsoft Office updates

The Defense in Dept update referenced in ADV180026 above provides enhanced security as a defense-in-depth measure and addresses various vulnerabilities, including arbitrary code execution issues.

Microsoft released updates for Office 2016, 2013, and 2010, and separately for Outlook, Word, Excel, and PowerPoint 2016, 2013, and 2010 that address remote code execution vulnerabilities.

Other software/services

Security updates were also released on September 11 for the .NET Framework versions 3.5 through 4.7.2 running on Windows Client and Server operating systems and Windows Embedded. This security update resolves a vulnerability in Microsoft .NET Framework that could allow remote code execution when .NET Framework processes untrusted input. An attacker who successfully exploits this vulnerability in software by using .NET Framework could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts that have full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

Critical vulnerabilities

The following are some of the critical vulnerabilities addressed by this month’s updates:

  • CVE-2018-8489, CVE-2018-8490 | Windows Hyper-V Remote Code Execution Vulnerabilities. A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.
  • CVE-2018-8494 | MS XML Remote Code Execution Vulnerability. A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the user’s system. To exploit the vulnerability, an attacker could host a specially crafted website designed to invoke MSXML through a web browser.
  • CVE-2018-8460 | Internet Explorer Memory Corruption Vulnerability. A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • CVE-2018-8473 | Microsoft Edge Memory Corruption Vulnerability. A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • CVE-2018-8511, CVE-2018-8513 | Chakra Scripting Engine Memory Corruption Vulnerabilities. Remote code execution vulnerabilities exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

You may also like: