This Month’s Breakdown on Latest Updates from Microsoft and Adobe
by Chris Goettl, director of product management, Security, Ivanti
I can’t believe it’s November already. My wife is a Christmas fanatic, which likely has a little to do with being born on December 24th. Well she already found a radio station that switched to Christmas music. I have not been out to any stores in the past two weeks, but I am just as certain that Christmas is taking them by storm as well. It feels too early for Christmas, doesn’t it? We still haven’t gorged ourselves on Turkey! That debate lives on, but one certainty is that Patch Tuesday is here again. You can be certain there are updates a plenty from Microsoft and Adobe today. Here is the breakdown:
Microsoft has resolved 62 unique vulnerabilities across 15 updates. Amongst these are a zero-day vulnerability in Windows 7, Server 2008 and Server 2008 R2 and a public disclosure in Windows 10, Server 2016 and Server 2019.
Servicing Stack Update
Microsoft has released additional Servicing Stack Updates for Windows 10, Server 2016, and Server 2019 this month. If you have not already done last month’s Servicing Stack Update for Windows 7, Server 2008, and Server 2008 R2. The Servicing Stack Update from October has a known issue where the update process would halt at “Stage 2 of 2” or “Stage 3 of 3” of the restart process. The guidance from Microsoft if you encounter the issue is to press Ctrl+Alt+Del to continue to log on. The error should only occur once and updates should still apply without issue.
Microsoft Zero Day and Public Disclosure
Microsoft has resolved a zero-day vulnerability (CVE-2018-8589) in Windows 7, Server 2008 and Server 2008 R2. The Elevation of Privilege vulnerability exists in Win32k.sys and could allow an attacker to run arbitrary code in the context of a local system. The CVE is rated as Important and the attacker would need to log on to the system to exploit the vulnerability, but when exploited the attacker would gain full control of the affected system.
Microsoft has resolved a public disclosure vulnerability (CVE-2018-8566) in Windows 10, Server 2016 and Server 2019. The Security Feature Bypass vulnerability exists in BitLocker and could allow an attacker to bypass protection to gain access to encrypted data. To exploit the vulnerability the attacker must gain physical access to the target system. Systems that can be physically accessed and especially laptops will be a higher priority for applying the update. This vulnerability is not related to the guidance (ADV180028) previously given for configuring BitLocker to enforce software encryption.
The priority this month should be all Windows OS updates and Edge. Internet Explorer has several Important vulnerabilities resolved as does Office, but all of the Critical vulnerabilities, exploits and disclosures are in the OS and Edge browser.
Microsoft is re-releasing Windows 10 1809 and Server 2019 after pulling them in October due to user data being deleted after upgrading. Take a moment to test before rolling out just to be cautious.
Adobe Releases and Public Disclosure
Adobe released two updates this month resolving two unique CVEs. The Adobe Flash Player update this month only resolves one important vulnerability. The Adobe Acrobat and Reader update (APSB18-40) resolves one important vulnerability (CVE-2018-15979) as well, but this CVE has been publicly disclosed according to the Adobe Bulletin Page. The vulnerability could allow an attacker to take advantage of a weakness in Microsoft NTLM to redirect a user to a malicious resource outside your organization to obtain the NTLM authentication messages.
About the Author
Chris Goettl is director of product management, security, Ivanti. Chris is a strong industry voice with more than 10 years of experience in supporting, implementing, and training IT Admins on how to implement strong patching processes. He hosts a monthly Patch Tuesday webinar, blogs on vulnerability and related software security topics, and he is often quoted as a security expert in the media. Chris can be reached online at Twitter at @ChrisGoettl and at www.ivanti.com