Light Month Follows Microsoft’s Pause on Windows 10 Update
by Chris Goettl, director of product management, Security, Ivanti
Microsoft has given us a ‘Fall Break’ this October with a very light set of updates. We have one zero-day vulnerability and one publicly disclosed vulnerability and NO security updates for Adobe Flash this month . . . a break indeed!
The zero-day vulnerability is CVE-2018-8453. This vulnerability exists in the Win32 component of the operating system and fails to properly handle objects in memory. An attacker first needs to log into the operating system, but then can exploit this vulnerability to run code in the kernel and gain administrator privileges. This vulnerability has a Base CVSS score of 7 and is present in all operating systems with updates this month from Server 2008 through Windows 10.
The publicly disclosed vulnerability is CVE-2018-8423 Microsoft JET Database Engine Remote Code Execution Vulnerability. An attacker who successfully exploited this vulnerability could take control of an affected system; however, this vulnerability does not allow for elevation of privilege directly. A local user exploiting this vulnerability will have limited rights compared to an administrator. This vulnerability requires a specially crafted file to take advantage of the JET database engine. It also is addressed in all operating systems. The Base CVSS score for this vulnerability is 7.8.
There were a total of 49 CVEs addressed across the portfolio. As expected, the majority (33) were fixed in Windows 10, Edge and the associated Server versions. Also, please note that there was an update for Server 2019 which was made generally available last week. Microsoft continued the trend from last month where they introduced both a monthly rollup and a security-only release for Server 2008. Prior to that there was only a single security update. Updates were released for all supported versions of Exchange Server and Sharepoint Server this month as well.
Office received updates for Excel, Outlook, Powerpoint and Word and of course the Office Suite bundle. Office for Mac version 16.17 from last Patch Tuesday, and all future 16.17+ releases are now officially “Office 2019.” “Office 2016” will continue to receive updates “as needed” until October 2020, and thankfully they now have a separate release notes page for this. Office 2016 will continue to support macOS all the way back to Yosemite (10.10), while Office 2019 requires Sierra (10.12) or later. Office 365 will work fine with either the Office 2016 or Office 2019 patches, though Office 365 is technically now on the Office 2019 branch.
If you are looking for Windows 10, version 1809, also known as the Windows 10 October 2018 Update, you can’t download it right now. Microsoft has paused the rollout while they fix some significant issues. The biggest problem reported by many users, our content team included, is the update deletes all your files in the C:/Users/[username]/Documents/ folder. To add further concern, rolling back to the previous version does not restore the files. There were other problems reported including a compatibility problem with Intel Display Audio device drivers and Task manager not displaying proper CPU usage information. Like me, you are probably asking, “how can this happen?” We’re not alone; several articles are questioning the Microsoft quality control process and the Insider program which is supposed to expose all these bugs prior to release.
I mentioned in my introduction we did not have a Flash update from Microsoft, but Adobe did release a non-security update under APSB18-35. Apple released a security update for iCloud for Windows 7.7 that addresses 19 vulnerabilities, so definitely look into that if you use Apple products.
In closing, don’t forget Oracle has their Critical Patch Update (CPU) on October 16, so in addition to their application updates you can get the latest Java patches. Enjoy your fall break!
About the Author
Chris Goettl is director of product management, security, Ivanti. Chris is a strong industry voice with more than 10 years of experience in supporting, implementing, and training IT Admins on how to implement strong patching processes. He hosts a monthly Patch Tuesday webinar, blogs on vulnerability and related software security topics, and he is often quoted as a security expert in the media. Chris can be reached online on Twitter at @ChrisGoettl and at www.ivanti.com