Patch Tuesday November 2018
Windows 10 October 2018 Update Rereleased
It’s been a long wait, but Microsoft has finally rereleased Window 10 version 1809 to Windows Update and for those who want to download the media. Originally released on October 9th for ‘seekers’, i.e. those who actively open the Settings app and click Check for updates, Microsoft pulled Windows 10 1809 a few days later after receiving reports that some users had lost data during the upgrade process. Windows Server 2019 was also pulled.
Microsoft later rolled out cumulative patches to Insiders to fix the original data loss issue, plus some other problems that came to light, including a problem extracting files from zip archives. Clearly, Microsoft decided to carry out more comprehensive testing before the update was released again as it took over a month to resurface.
Windows 10 and Windows Server 2016
There are 9 critical updates for Windows 10 this month. CVE-2018-8544 fixes a problem with how Visual Basic Script (VBS) handles objects in memory that could allow an attacker to run arbitrary code in the context of the logged in user. All the other critical vulnerabilities are connected to the ChakraCore scripting engine used by Edge and can all be exploited remotely.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
CVE-2018-8566 patches a flaw in BitLocker that could allow an attacker with physical access to read data because Windows suspends encryption. CVE-2018-8549 fixes a vulnerability where Windows incorrectly validates Kernel driver signatures, potentially allowing unsigned kernel drivers to be loaded into memory. And CVE-2018-8417 fixes a problem that might allow an attacker to use Microsoft JScript to bypass Device Guard.
CVE-2018-8592 is an interesting vulnerability in Windows 10 version 1809 that could allow access to a system if they have physical access when upgrading to version 1809 and selecting the ‘Keep nothing’ option. The remaining fixes plug 6 elevation of privilege, 3 information disclosure, 1 spoofing, 1 remote code execution, and 1 tampering flaw.
Microsoft has confirmed that a bug in KB4462919 for Windows 10 version 1803 causes problems with file associations that affect applications, like Notepad++, that don’t have capabilities set in the Windows registry. Microsoft has said that it hopes to push out a fix by late November.
Windows 7 and Windows Server 2008
There are 4 critical patches for Windows 7 this month. The VBScript flaw fixed in CVE-2018-8544 also affects Windows 7. Additionally, CVE-2018-8553 patches a problem with Microsoft Graphics Components that incorrectly handle objects in memory and could let an attacker run arbitrary code.
Organizations should pay special attention to CVE-2018-8589, which patches a problem where Windows improperly handles Win32k.sys calls. An attacker could run arbitrary code in the context of the local system using a specially crafted application. This flaw is already being exploited in the wild, so it’s important to make sure systems are patched in a timely fashion. Using application control, like AppLocker, to block unsanctioned code could also help protect against this vulnerability.
Microsoft Dynamics 365 version 8 gets patches for a cross site scripting vulnerability. SharePoint has two patches for an elevation of privilege vulnerability and an information disclosure issue. And Outlook, Word, and Excel get patches for some remote code execution flaws.
Microsoft has rolled out an update for Flash Player that could lead to information disclosure. An important patch for Adobe Acrobat Reader should be installed as quickly as possible as there is already proof-of-concept code available on the Internet. The flaw could let an attacker get access to the logged-in user’s NTLM hash, which could be used to access resources or to determine the user’s password.
I haven’t heard of any serious problems caused by this month’s patches. But as always, be sure to test them out before distributing them widely in your own environment.