Patch Tuesday: The good, the bad, the ugly and the hopeless

Patch Tuesday patches are rolling out right now and there’s a bunch of them.

Quick glance on the Microsoft Update Catalog shows 104 individual patches, dated Oct. 5 to 8 (none for Oct. 9 that I can see).

Microsoft’s master list is here.

I’m perplexed by the first cumulative update for Win10 version 1809, KB 4464330:

Addresses an issue affecting group policy expiration where an incorrect timing calculation may prematurely remove profiles on devices subject to the “Delete user profiles older than a specified number of day.”

There’s no indication if that fixes all of the disappearing Documents, Photos, etc., files that some encountered. Although it may well explain the “Delete user profiles” GPO problem. If it makes any difference, there’s been no change in the “Known issues” section of the original Win10 1809 release, KB 4464619. If Microsoft fixed the file deletion problem, they didn’t change the KB article to reflect the fix.

There’s also no indication if this means the forced upgrades from 1803 to 1809 are poised to begin.

Martin Brinkman at ghacks.net has his usual comprehensive list:

• Windows 7: 13 vulnerabilities of which 2 are critical and 11 are important.
• Windows 8.1: 14 vulnerabilities of which 2 are critical and 12 are important.
• Windows 10 version 1607: 19 vulnerabilities of which 3 are critical and 16 are important.
• Windows 10 version 1703: 18 vulnerabilities of which 3 are critical and 15 are important.
• Windows 10 version 1709: 20 vulnerabilities of which 3 are critical and 17 are important.
• Windows 10 version 1803: 20 vulnerabilities of which 2 are critical and 18 are important.
• Windows 10 version 1809: 19 vulnerabilities of which 3 are critical and 16 are important.

Dustin Childs on the Zero Day Initiative page weighs in:

Microsoft released 49 security patches and two advisories covering Internet Explorer (IE), Edge, ChakraCore, Hyper-V, Exchange, Windows components, .NET Core, SQL Server, and Microsoft Office and Office Services. Of the 49 CVEs, 12 are listed as Critical, 35 are rated Important, one is rated as Moderate, and one is rated Low in severity. A total of eight of these CVEs came through the ZDI program. Three of these bugs are listed as publicly known at the time of release and one of these is reported as being actively exploited.

We also got a Servicing Stack Update for Win10 1809, KB 4465477. If you’re manually installing the cumulative update for 1809 (sanity alert), be sure to get the SSU installed first. Thx @KPRP42.

The only hole known to be actively exploited is a privilege escalation bug, which means the attacker has to be running on your machine already before they can take advantage of the bug.

There’s a bumper crop of Office security patches, for Office 2010, 2013, 2016, several viewers, SharePoint Server 2010, 2013 and 2016.

The SANS Internet Storm Center posted its usual overview, confirming that only one bug is currently known to be in use, and it’s a privilege elevation bug.