Well, it was great to have a little break from posting on the Patch Tuesday Debugged blog. Since the kids are now back at school, it’s time to get back to understanding the impact of Microsoft’s Patch Tuesday update cycle on our desktop and server systems.
With only a few known minor issues reported by Microsoft, this update from Microsoft looks good to go which is now hopefully the case for the now delayed feature release of Windows 10 1809. For a small number of systems, there may be a minor issue with the manual administration of the Exchange updates (4459266), a minor problem with key management on Server 2019 (4462917) and network adapter configurations (4462923). If your network adapter(s) stopped working after deploying Microsoft’s September update, you need to have a look at the October update before general deployment.
Each month, I try to break down the update cycle into product families (as defined by Microsoft) with the following basic groupings.
- Browsers (Microsoft IE and Edge)
- Microsoft Windows (both desktop and server)
- Microsoft Office (Including Web Apps and Exchange)
- Microsoft ASP.NET Core, .NET Core and Chakra Core
- Adobe Flash Player
October brings eight reported vulnerabilities to IE11 and Edge (CVE-2018-8505, CVE-2018-8509, CVE-2018-8510, CVE-2018-8460, CVE-2018-8473, CVE-2018-8491, CVE-2018-8511, CVE-2018-8513). All eight are rated as critical as they could lead to remote control execution scenarios. All of these reported vulnerabilities relate to the Microsoft Chakra Script engine and core memory corruption for both IE11 and Microsoft Edge. These types of issues have been commonly reported over the past few years and usually result in a remote code execution scenario on the vulnerable system. Often these vulnerabilities are rapidly exploited so given the severity rating from Microsoft, add this update to your priority patch deployment effort.
Windows patches resolve the following vulnerabilities: CVE-2018-8490, CVE-2018-8489, CVE-2018-8494 .All are rated as critical by Microsoft and potentially could lead to a remote code execution scenario on the compromised system. The first two reported vulnerabilities ( CVE-2018-8490, CVE-2018-8489) relate to user input validation issues in Microsoft Hyper-V host system. The third and final update to the Windows platform follows a similar line of attack against user input validation processes with the MS XML middleware component. Updating MSXML within Windows used to be scary. If you have a core Line-of-Business (LOB) application that has a key dependency on the latest versions of Microsoft MSXML then you need to test those core apps. Otherwise, this update should be made a priority for deployment.
Microsoft has also added a support note for the remaining Windows 7 (and Server 2008 R2) systems advising that the Microsoft Servicing Stack Update SSU 31777467 must be installed to Windows platform security updates.
As an avid Windows user, and a casual Mac user, I was pleased to see that Microsoft has now released a dedicated page for Office 2016 for Mac here. This month Microsoft has addressed eight reported vulnerabilities in the Office Platform (this includes Office 365 and Mac) with the highest rating as important. The biggest issue this month is a potential remote code execution scenario in Microsoft Office’s Protect Mode viewer with Excel highlighted as the more vulnerable vector for bad actors. Unless you are running SharePoint Server 2010 (meaning Patch Now) add this update to your standard patch deployment effort.
Microsoft Development Platforms
This section covers updates to the .NET, Chakra Core and other development platforms from Microsoft. Microsoft has attempted to resolve seven vulnerabilities in the Chakra Scripting engine. All are rated as critical by Microsoft and could lead to a remote code execution scenario. Though these eight reported issues are serious we have not seen any related reported disclosures or reports that these vulnerabilities have been exploited. As all of these issues are released to Edge, they will be included in your browser update schedule.
Amazing! There are no critical updates to Adobe Flash Player. Really!
There was a minor security bulletin released (APSB18-35) that addressed performance issues in Chrome, Edge and IE11. Add this update to your standard update deployment schedule.
And finally, the next big day in the update calendar is October 16th for Oracle patches. Let’s see what happens.