Yes, we’re still at MS-DEFCON 2 – No need to install any September updates

Yes, I read the email you probably read this morning. No, I don’t see any reason to recommend that most people update their machines — not yet.

Here are the two reasons given for rushing to install the September patches:

CVE-2018-8440 – Windows ALPC Elevation of Privilege Vulnerability – included in all of this month’s Windows patches

This is the zero-day exploit for Task Scheduler revealed on Twitter by @SandboxEscaper, who kindly provided links to working exploit code. Nice guy. Er, gal. Kevin Beaumont has a good overview here.

Should you be rushing out to install all of this month’s Windows patches because of ALPC? I don’t think so. First, it’s a privilege execution exploit — in plain English, that means it’s only usable if a miscreant already has access to your computer. Second, the initial round of infections were, according to Ionut Ilascu at Bleepingcomputer:

a small number of victims in the following countries: Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States, and Ukraine.

Yes, you’ll need to patch it eventually. Right now, it’s not a huge threat.

CVE-2018-8475 – Windows Remote Code Execution Vulnerability

This one’s a more immediate challenge. Microsoft doesn’t give any details that I can find, but apparently somebody could take over your computer if you view an image. What isn’t clear is whether the image can take over if it’s viewed through a browser and, if so, which ones. That’s a browse-and-own security hole and that makes it a biggie. But.

Microsoft’s security advisory says specifically:

To exploit the vulnerability, an attacker would have to convince a user to download an image file.

which doesn’t sound like browse-and-own to me.

Dustin Childs, one of my favorite analysts, goes on to say:

Microsoft provides no information on where this is public

Microsoft lists the security hole as “Disclosed” but not “Exploited.” Symantec hasn’t found any exploits.

That leads me to believe that it isn’t likely to be widespread in the near term. Again, yes, you’ll have to patch eventually.

There are also security problems with Hyper-V (“a user on a guest virtual machine could execute code on the underlying hypervisor OS” per Childs), but that probably doesn’t matter much to you.

Looking at the rest of the crop, I don’t see any overwhelming reason to get patched immediately.

Given the current precarious state of this month’s patches — Intuit still doesn’t have a fix (update: it wasn’t the patches’ fault), there’s an unexplained dropped patch, Win7 is still kicking out error 0x8000FFF, Win10 1803 can get doubly-patched or not patched at all — there’s plenty of reason to stand pat. And the patches have only been in circulation for three days.

Are exploits “likely?” Sure, some day. But not now. Patience, grasshopper.

Susan Bradley’s newly updated Master Patch List recommends that you wait, as well.