قالب وردپرس درنا توس
Home / Technology / An easy October Patch Tuesday

An easy October Patch Tuesday



Well, it was great to have a little break from posting on Tuesday's Patch Debug blog. Since the children have returned to school, it is time to go back to understanding the impact of Microsoft's Patch Update cycle on our desktop and server systems.

For this Tuesday patch in October, we see a relatively light release from Microsoft with a reported zero-day vulnerability (CVE-2018-8453) and a publicly disclosed vulnerability CVE-2018-8423 included in the monthly security update Microsoft. We've already seen some minor version updates to this October release, with 51 reported vulnerabilities addressed to Windows, both Microsoft (IE1

1 and Edge), Office (Exchange Server) and Chakra Core JavaScript engines. I expect that this week we will still have some minor revision of the Windows patches for documentation purposes. This does not imply a required delay, but patch versions will change (update) in the coming days. You may have noticed that Server 2019 (the latest version of Microsoft on the Windows server platform) was updated last week (October 2, 2018). You can find this update here. And, if you're looking for a good Patch Tuesday infographic, read Chris Goettl's security update here for October.

With only a few known minor issues reported by Microsoft, this update from Microsoft looks good to go, which is now hoping that the release of the now delayed feature of Windows 10 1809. For a limited number of systems, there may be a problem minor with manual administration of Exchange updates (4459266), a minor problem with key management on Server 2019 (4462917) and network adapter configurations (4462923). If the network cards have stopped working after Microsoft's September update deployment, you need to take a look at the October update before the general implementation.

Every month, I try to break the update cycle into product families (as defined by Microsoft) with the following basic groupings.

  • Browser (Microsoft IE and Edge)
  • Microsoft Windows (desktop and server)
  • Microsoft Office (including Web and Exchange applications)
  • Microsoft NET Core, .NET Core and Chakra Core
  • Adobe Flash Player

October brings eight vulnerabilities reported to IE11 and Edge ( CVE-2018-8505, CVE-2018-8509, CVE-2018-8510, CVE-2018-8460, CVE-2018-8473, CVE-2018 -8491, CVE-2018-8511, CVE-2018-8513). All eight are considered critical as they could lead to remote control execution scenarios. All of these vulnerabilities reported concern the Microsoft Chakra Script engine and the base memory corruption for IE11 and Microsoft Edge. These types of problems have been commonly reported in recent years and usually result in a remote code execution scenario on the vulnerable system. Often these vulnerabilities are taken advantage of quickly so that, given Microsoft's seriousness, add this update to the commitment to implement priority patches.

Windows patches

address the following vulnerabilities: CVE-2018-8490, CVE-2018 -8489, CVE-2018-8494. All are rated as critical by Microsoft and could potentially lead to a remote code execution scenario on the compromised system. The first two reported vulnerabilities (CVE -2018-8490, CVE-2018-8489) relate to problems in validating user input in the Microsoft Hyper-V host system. The third and last update of the Windows platform follows a similar line of attack against the processes of validating user input with the MS XML middleware component. The update of MSXML on Windows was scary. If you have a basic Line-of-Business (LOB) application that has a key dependency on the latest versions of Microsoft MSXML, you need to test them. Otherwise, this update should be prioritized for distribution.

Microsoft also added a support note for the remaining Windows 7 (and Server 2008 R2) systems that recommend installing the Microsoft Maintenance Stack SSU 31777467 on Windows Platform Security Updates.

Microsoft Office

As an avid user of Windows and an occasional Mac user, I was pleased to see that Microsoft has now released a dedicated page for Office 2016 for Mac here. This month Microsoft has faced eight reported vulnerabilities in the Office platform (including Office 365 and Mac) with the highest rating as important. The biggest problem this month is a potential remote code execution scenario in the Microsoft Office protected mode viewer with Excel highlighted as the most vulnerable vector for bad actors. Unless you are using SharePoint Server 2010 (that is, Patch now), add this update to the deployment of standard patches.

Microsoft Development Platforms

This section covers updates to .NET, Chakra Core and other Microsoft development platforms. Microsoft has attempted to resolve seven vulnerabilities in the Chakra Scripting engine. All are classified as critical by Microsoft and could lead to a remote code execution scenario. Although these eight reported problems are serious, we have not disclosed any disclosure or reported reporting that these vulnerabilities have been exploited. Because all these issues are released on the Edge, they will be included in the browser update schedule.

Adobe Flash

Incredible! There are no important updates for Adobe Flash Player. Really!

A secondary security bulletin ( APSB18-35) was published that dealt with performance issues in Chrome, Edge, and IE11. Add this update to your standard update implementation schedule.

Finally, the next big update calendar day is October 16th for Oracle patches. Let's see what happens.

This article is published as part of the IDG collaborator network. Would you like to participate?


Source link