An Easy October Patch Tuesday

Greg Lambert
October 11, 2018
4 minutes

Well, it was great to have a little break from posting on the Patch Tuesday Debugged blog. Since the kids are now back at school, it’s time to get back to understanding the impact of Microsoft’s Patch Tuesday update cycle on our desktop and server systems.

For this October Patch Tuesday, we see a relatively light release from Microsoft with one zero-day vulnerability reported (CVE-2018-8453) and one publicly disclosed vulnerability CVE-2018-8423 included in the Microsoft monthly security update. We have already seen a few minor version updates to this October release, with 51 reported vulnerabilities addressed across Windows, both Microsoft browsers (IE11 and Edge), Office (Exchange Server) and the Chakra Core JavaScript engine. I expect that we will have a few more minor revisions to the Windows patches for documentation reasons this week. This does not imply a required delay, but your patch versions will change (update) over the next few days. You may also have noticed that Server 2019 (Microsoft’s latest version of the Windows server platform) was updated last week (October 2, 2018). You can find this update here. And, if you are looking for a good Patch Tuesday infographic, have a read of Chris Goettl’s security update for October found here.

With only a few known minor issues reported by Microsoft, this update from Microsoft looks good to go which is now hopefully the case for the now delayed feature release of Windows 10 1809. For a small number of systems, there may be a minor issue with the manual administration of the Exchange updates (4459266), a minor problem with key management on Server 2019 (4462917) and network adapter configurations (4462923). If your network adapter(s) stopped working after deploying Microsoft’s September update, you need to have a look at the October update before general deployment.

Each month, I try to break down the update cycle into product families (as defined by Microsoft) with the following basic groupings.

  • Browsers (Microsoft IE and Edge)
  • Microsoft Windows (both desktop and server)
  • Microsoft Office (Including Web Apps and Exchange)
  • Microsoft ASP.NET Core, .NET Core and Chakra Core
  • Adobe Flash Player

Browsers

October brings eight reported vulnerabilities to IE11 and Edge (CVE-2018-8505, CVE-2018-8509, CVE-2018-8510, CVE-2018-8460, CVE-2018-8473, CVE-2018-8491, CVE-2018-8511, CVE-2018-8513). All eight are rated as critical as they could lead to remote control execution scenarios. All of these reported vulnerabilities relate to the Microsoft Chakra Script engine and core memory corruption for both IE11 and Microsoft Edge. These types of issues have been commonly reported over the past few years and usually result in a remote code execution scenario on the vulnerable system. Often these vulnerabilities are rapidly exploited so given the severity rating from Microsoft, add this update to your priority patch deployment effort.

Windows

Windows patches resolve the following vulnerabilities: CVE-2018-8490, CVE-2018-8489, CVE-2018-8494 .All are rated as critical by Microsoft and potentially could lead to a remote code execution scenario on the compromised system. The first two reported vulnerabilities ( CVE-2018-8490, CVE-2018-8489) relate to user input validation issues in Microsoft Hyper-V host system. The third and final update to the Windows platform follows a similar line of attack against user input validation processes with the MS XML middleware component. Updating MSXML within Windows used to be scary. If you have a core Line-of-Business (LOB) application that has a key dependency on the latest versions of Microsoft MSXML then you need to test those core apps. Otherwise, this update should be made a priority for deployment.

Microsoft has also added a support note for the remaining Windows 7 (and Server 2008 R2) systems advising that the Microsoft Servicing Stack Update SSU 31777467 must be installed to Windows platform security updates.

Microsoft Office

As an avid Windows user, and a casual Mac user, I was pleased to see that Microsoft has now released a dedicated page for Office 2016 for Mac here. This month Microsoft has addressed eight reported vulnerabilities in the Office Platform (this includes Office 365 and Mac) with the highest rating as important. The biggest issue this month is a potential remote code execution scenario in Microsoft Office’s Protect Mode viewer with Excel highlighted as the more vulnerable vector for bad actors. Unless you are running SharePoint Server 2010 (meaning Patch Now) add this update to your standard patch deployment effort.

Microsoft Development Platforms

This section covers updates to the .NET, Chakra Core and other development platforms from Microsoft. Microsoft has attempted to resolve seven vulnerabilities in the Chakra Scripting engine. All are rated as critical by Microsoft and could lead to a remote code execution scenario. Though these eight reported issues are serious we have not seen any related reported disclosures or reports that these vulnerabilities have been exploited. As all of these issues are released to Edge, they will be included in your browser update schedule.

Adobe Flash

Amazing! There are no critical updates to Adobe Flash Player. Really!
There was a minor security bulletin released (APSB18-35) that addressed performance issues in Chrome, Edge and IE11. Add this update to your standard update deployment schedule.

And finally, the next big day in the update calendar is October 16th for Oracle patches. Let’s see what happens.

Greg Lambert

CEO, Product Evangelist
Greg Lambert is the CEO and product evangelist for Application Readiness Inc. Greg is a co-founder of ChangeBASE and has considerable experience with application packaging technology and its deployment.

Planning business modernization projects?

  • Windows 10/11 migration
  • MS server 2022
  • Migration to Azure

Is your application estate ready?

Assurance.

Unbounded.

3 months of patch protection, assessments and dependency reports for your entire portfolio.

  • No cost
  • No limit of applications
  • No software needed
  • No infrastructure required
  • No obligation
Contact us to get started