Patch Tuesday October 2018

Windows 10 Hero Good

Windows 10 October 2018 Update

Microsoft was due to release Windows 10 version 1809 more widely on Patch Tuesday via Windows Update. It had been made available a week earlier for ‘seekers’, i.e. those who have compatible hardware and manually Check for updates in the Settings app, or who downloaded the updated Media Creation Tool. But reports of deleted user data prompted Microsoft to halt the rollout.

For more information on the October 2018 Update for Windows 10, see Microsoft Pulls Windows 10 October 2018 Update from Windows Update on Petri.

Windows 10 and Windows Server 2016

This month sees 49 vulnerabilities patched for Windows Server 2016 and Windows 10, 7 of which are critical remote code execution flaws. 3 of them apply to Hyper-V, 2 to MS XML, one to the Win32k graphics subsystem, and one to Windows. The bugs are rated critical because they could be exploited without any user interaction.

The remaining fixes are all rated important. 5 are remote code execution vulnerabilities and 12 are elevation of privilege, one of which affects the Win32k graphics subsystem and was already being exploited in the wild. Two other vulnerabilities were also publicly disclosed before Patch Tuesday but are not known to have been exploited. They are CVE-2018-8497, which is an elevation of privilege vulnerability and a remote code execution flaw in Microsoft’s JET Database Engine (CVE-2018-8423).

There are also four security feature bypass patches. Two apply to Windows Defender Application Control (Device Guard), one in the DNS Global Blocklist feature, and one when the Hyper-V BIOS loader fails to provide a high-entropy source.

Microsoft Edge and Internet Explorer

There are 10 critical patches for Edge this month, all of which are remote code execution. 8 are rated important, and one of them is a security feature bypass flaw that bypasses Same-Origin Policy (SOP) restrictions, passing requests that should be blocked. There’s also a spoofing flaw that could let an attacker trick users into thinking they are on a legitimate site.

Internet Explorer 11 gets 8 patches, 5 of which are critical. Two are remote code execution memory corruption vulnerabilities that could let an attacker run code in the context of the logged in user. Bad news if you are a local administrator.

Microsoft Office

Office 2016 gets 3 important remote code execution fixes where PowerPoint, Excel, and Word fail to properly handle objects in Protected View. The click-to-run (C2R) version of Office 2016 also has 3 remote code execution fixes, one is critical where the Windows font library improperly handles embedded fonts. Another is in Microsoft Word if a user opens a specially crafted PDF file. And Excel contains a flaw where objects in memory aren’t handled correctly, which could allow an attacker to run code in the context of the logged in user.

Exchange and SharePoint

Exchange 2016 gets three patches. One is an elevation of privilege vulnerability in the way Outlook Web Access (OWA) handles web requests, and two are remote code execution flaws. One could let an attacker use specially crafted email messages to run arbitrary code in the context of the system user. The second is a vulnerability in the way that certain applications built using Microsoft Foundation Classes (MFC) handle the loading of DLL files. An attacker could take complete control of affected devices.

SharePoint 2016 is patched for 5 elevation of privilege flaws, and two information disclosure. All of which are rated important. SharePoint 2013 gets 4 elevation of privilege patches and two information disclosure.


Flash Player gets updated this month but there are no security issues patched. But there are security updates for Acrobat Reader and other products, including Digital Editions and Experience Manager.

That’s it until November!