Well, it was great to have a little break from posting on Tuesday's Patch Debug blog. Since the children have returned to school, it is time to go back to understanding the impact of Microsoft's Patch Update cycle on our desktop and server systems.
For this Tuesday patch in October, we see a relatively light release from Microsoft with a reported zero-day vulnerability (CVE-2018-8453) and a publicly disclosed vulnerability CVE-2018-8423 included in the monthly security update Microsoft. We've already seen some minor version updates to this October release, with 51 reported vulnerabilities addressed to Windows, both Microsoft (IE1
With only a few known minor issues reported by Microsoft, this update from Microsoft looks good to go, which is now hoping that the release of the now delayed feature of Windows 10 1809. For a limited number of systems, there may be a problem minor with manual administration of Exchange updates (4459266), a minor problem with key management on Server 2019 (4462917) and network adapter configurations (4462923). If the network cards have stopped working after Microsoft's September update deployment, you need to take a look at the October update before the general implementation.
Every month, I try to break the update cycle into product families (as defined by Microsoft) with the following basic groupings.
- Browser (Microsoft IE and Edge)
- Microsoft Windows (desktop and server)
- Microsoft Office (including Web and Exchange applications)
- Microsoft NET Core, .NET Core and Chakra Core
- Adobe Flash Player
October brings eight vulnerabilities reported to IE11 and Edge ( CVE-2018-8505, CVE-2018-8509, CVE-2018-8510, CVE-2018-8460, CVE-2018-8473, CVE-2018 -8491, CVE-2018-8511, CVE-2018-8513). All eight are considered critical as they could lead to remote control execution scenarios. All of these vulnerabilities reported concern the Microsoft Chakra Script engine and the base memory corruption for IE11 and Microsoft Edge. These types of problems have been commonly reported in recent years and usually result in a remote code execution scenario on the vulnerable system. Often these vulnerabilities are taken advantage of quickly so that, given Microsoft's seriousness, add this update to the commitment to implement priority patches.
address the following vulnerabilities: CVE-2018-8490, CVE-2018 -8489, CVE-2018-8494. All are rated as critical by Microsoft and could potentially lead to a remote code execution scenario on the compromised system. The first two reported vulnerabilities (CVE -2018-8490, CVE-2018-8489) relate to problems in validating user input in the Microsoft Hyper-V host system. The third and last update of the Windows platform follows a similar line of attack against the processes of validating user input with the MS XML middleware component. The update of MSXML on Windows was scary. If you have a basic Line-of-Business (LOB) application that has a key dependency on the latest versions of Microsoft MSXML, you need to test them. Otherwise, this update should be prioritized for distribution.
Microsoft also added a support note for the remaining Windows 7 (and Server 2008 R2) systems that recommend installing the Microsoft Maintenance Stack SSU 31777467 on Windows Platform Security Updates.
As an avid user of Windows and an occasional Mac user, I was pleased to see that Microsoft has now released a dedicated page for Office 2016 for Mac here. This month Microsoft has faced eight reported vulnerabilities in the Office platform (including Office 365 and Mac) with the highest rating as important. The biggest problem this month is a potential remote code execution scenario in the Microsoft Office protected mode viewer with Excel highlighted as the most vulnerable vector for bad actors. Unless you are using SharePoint Server 2010 (that is, Patch now), add this update to the deployment of standard patches.
Microsoft Development Platforms
This section covers updates to .NET, Chakra Core and other Microsoft development platforms. Microsoft has attempted to resolve seven vulnerabilities in the Chakra Scripting engine. All are classified as critical by Microsoft and could lead to a remote code execution scenario. Although these eight reported problems are serious, we have not disclosed any disclosure or reported reporting that these vulnerabilities have been exploited. Because all these issues are released on the Edge, they will be included in the browser update schedule.
Incredible! There are no important updates for Adobe Flash Player. Really!
Finally, the next big update calendar day is October 16th for Oracle patches. Let's see what happens.
This article is published as part of the IDG collaborator network. Would you like to participate?