|
Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems. |
Newsletter Archives
-
MS-DEFCON 4: Time to get December patches installed
It looks like the “emergency” Internet Explorer patch is working. As for the Outlook patches for the “operation failed” Rules & Alerts bug, your guess is as good as mine — and Microsoft sure isn’t saying anything.
All in all, it’s time to take your medicine, and get your machine caught up. If you’re helping hapless friends or relatives, and they’re using Win10 Pro or Education, get them going with a 15-day cumulative update lag on the Semi-Annual Channel (explained in the article).
Then, if you have a sec, could you explain to my Sainted Aunt Martha — who paid good money for her Win10 machine — exactly what that last sentence means? Windows is sooooooo user-friendly.
Details Computerworld. Yes, even on the day before Christmas. Woody on Windows
-
Where we stand with the December patches
Things were looking pretty good for This Month in Patches — until two days ago.
Now, it’s anybody’s guess whether there’s a real emergency, or whether the IE patch is just a flash in the pan. But I continue to recommend that you hold off on patching — in spite of “The Sky is Falling — Patch Now” warnings from the usual suspects.
If the sky really does start falling, we’ll let you know here first.
Details in Computerworld Woody on Windows.
-
All I want for Christmas is a patching process that works
Instead, I figure it’ll be a lump of cumulative coal.
Details on this month’s patches and their early foibles in Computerworld Woody on Windows.
-
December 2018 Patch Tuesday is under way
December Updates are rolling out. There are 194 updates listed in the Update Catalog.
Martin Brinkman at ghacks.com has his usual thorough summary.
Operating System Distribution
- Windows 7: 9 vulnerabilities of which 9 are rated important.
- Windows 8.1: 8 vulnerabilities of which 8 are rated important.
- Windows 10 version 1607: 12 vulnerabilities of which 2 are critical and 10 are important
- Windows 10 version 1703: 11 vulnerabilities of which 1 is critical and 10 are important
- Windows 10 version 1709: 12 vulnerabilities of which 2 are critical and 10 are important
- Windows 10 version 1803: 12 vulnerabilities of which 2 are critical and 10 are important
- Windows 10 version 1809: 19 vulnerabilities of which 2 are critical and 17 are important
Windows Server products
- Windows Server 2008 R2: 9 vulnerabilities of which 9 are important.
- Windows Server 2012 R2: 9 vulnerabilities of which 1 is critical and 8 are important.
- Windows Server 2016: 11 vulnerabilities of which 2 are critical and 9 are important.
- Windows Server 2019: 13 vulnerabilities of which 2 are critical and 11 are important.
Other Microsoft Products
- Internet Explorer 11: 4 vulnerability, 1 critical, 3 important
- Microsoft Edge: 5 vulnerabilities, 5 critical
Microsoft Office Security Updates are available. There are updates for Office 2016, Office 2013, Office 2010, the Office Viewers and the SharePoint Servers.
The .NET updates include Security-only updates this month, as well as the usual .NET Rollups.
For those of you with Windows 10, there are new Servicing Stack updates:
Win10 1709 Build 16229.846 KB 4477136
Win10 1803 Build 17134.471 KB 4477137Interesting note from Senior Solutions Architect Allan Liska at Recorded Future:
Microsoft Edge has multiple critical vulnerabilities in its Chakra Core scripting engine. This is the now the 15th straight month that Microsoft has disclosed a vulnerability in the Chakra scripting engine, the last Patch Tuesday without a Chakra disclosure was September of 2017. This month’s vulnerability (CVE-2018-8583 and CVE-2018-8629) is a memory corruption vulnerability that, if exploited, would allow an attacker to execute arbitrary code on the victim’s machine.
Note Microsoftie liminzhu’s post on GitHub:
We’ve seen your questions for ChakraCore and we want to be transparent and honest with the open-source community that has given us so much support. To be compatible with the rest of the platform and reduce interoperability risks, Microsoft Edge will use the V8 engine as part of this change. There is much to build and learn, but we’re excited to take part in the V8 community and start contributing to the project.
ChakraCore is currently being used in various projects outside the browser. So, despite the change of direction for Microsoft Edge, our team will continue supporting ChakraCore.
You have to wonder if ChakraCore’s holiness is a contributing factor in Microsoft’s switch to the Chromium rendering engine.
Dustin Childs has his usual report up on the Zero Day Initiative site. He lists one vulnerability as exploited, but not publicly known, and one as known but not yet actively exploited. All the rest are less serious.
The exploited vulnerability — the 0day — has a familiar pedigree:
For the third month in a row, December has a Win32K (kernel-mode drivers) elevation of privilege vulnerability listed as currently under active attack. And, as was the case in previous months, this bug was reported by researchers at Kaspersky Labs, indicating this bug is being used in malware. Again, this is likely being used in targeted attacks in combination with other bugs.
Translation: Unless you’re protecting enormous state secrets (probably in a language other than English), you’re undoubtedly in the clear. Expect an explanation from Kaspersky shortly.
Chris Hoffman at How-To Geek has a seeker warning:
Microsoft hasn’t learned its lesson. If you click the “Check for Updates” button in the Settings app, Microsoft still considers you a “seeker” and will give you “preview” updates that haven’t gone through the normal testing process.
Of course, to be completely clear, I don’t recommend that you install ANY updates. It’s much too early to know what evil lurks in the hearts of man…
-
MS-DEFCON 2: December Patch Tuesday arrives tomorrow; get your machine locked down
My usual monthly admonition applies: Make sure your computer is locked down, to avoid surprises on Patch Tuesday.
I don’t expect a very big Patch Tuesday, frankly, except for those of you on Win10 1809 (who will get to absorb the contents of last week’s non-security cumulative update). Still, even if it’s a rather uneventful Patch Tuesday, you’d be well advised to turn auto updates off.
Computerworld Woody on Windows.
-
December 2018 non-Security Office Updates have been released
These are December 2018 Office updates. They will not be included in the DEFCON approval for the November patches. Unless you have a specific need to install them, you should wait until Susan Bradley (Patch Lady) approves them and any problems have been reported.
Office 2010
Update for Microsoft Office 2010 (KB4227172)
Update for Microsoft Office 2010 (KB4461579)Office 2013
Update for Microsoft InfoPath 2013 (KB4022181)
Office 2016
Update for Skype for Business 2016 (KB4461545)
Update for Microsoft Project 2016 (KB4461540)There were no non-security listings for Office 2007 (which is out of support).
Office 365 and C2R are not included.
Security updates for all supported versions of Microsoft Office are released on the second Tuesday of the month (Patch Tuesday).
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
OTT Upgrade Windows 11 to 24H2 on Unsupported Hardware
by 1 hour, 8 minutes ago
-
Inetpub can be tricked
by 2 hours, 27 minutes ago
-
How merge Outlook 2016 .pst file w/into newly created Outlook 2024 install .pst?
by 1 hour, 37 minutes ago
-
FBI 2024 Internet Crime Report
by 4 hours, 57 minutes ago
-
Perplexity CEO says its browser will track everything users do online
by 2 hours, 22 minutes ago
-
Login issues with Windows Hello
by 16 hours, 3 minutes ago
-
How to get into a manual setup screen in 2024 Outlook classic?
by 3 hours, 57 minutes ago
-
Linux : ARMO rootkit “Curing”
by 1 day, 3 hours ago
-
Employee monitoring app leaks 21 million screenshots in real time
by 1 day, 3 hours ago
-
Google AI is now hallucinating idioms
by 1 day, 4 hours ago
-
april update
by 6 hours, 25 minutes ago
-
Windows 11 Insider Preview build 27842 released to Canary
by 1 day, 5 hours ago
-
Quick Fix for Slowing File Explorer
by 1 day, 5 hours ago
-
WuMgr not loading?
by 1 hour, 5 minutes ago
-
Word crashes when accessing Help
by 9 hours, 25 minutes ago
-
New Microsoft Nag — Danger! Danger! sign-in to your Microsoft Account
by 1 day, 4 hours ago
-
Blank Inetpub folder
by 1 day, 2 hours ago
-
Google : Extended Repair Program for Pixel 7a
by 1 day, 15 hours ago
-
Updates seem to have broken Microsoft Edge
by 1 day, 1 hour ago
-
Wait command?
by 1 day, 8 hours ago
-
Malwarebytes 5 Free version manual platform updates
by 1 day, 22 hours ago
-
inetpub : Microsoft’s patch for CVE-2025–21204 introduces vulnerability
by 2 days, 4 hours ago
-
Windows 10 finally gets fix
by 2 days, 13 hours ago
-
AMD Ryzen™ Chipset Driver Release Notes 7.04.09.545
by 2 days, 14 hours ago
-
How to use Skype after May?
by 23 hours, 17 minutes ago
-
Win 7 MS Essentials suddenly not showing number of items scanned.
by 2 days, 9 hours ago
-
France : A law requiring messaging apps to implement a backdoor ..
by 3 days, 4 hours ago
-
Dev runs Windows 11 ARM on an iPad Air M2
by 3 days, 4 hours ago
-
MS-DEFCON 3: Cleanup time
by 1 hour, 19 minutes ago
-
KB5056686 (.NET v8.0.15) Delivered Twice in April 2025
by 1 day, 10 hours ago
Remembering Woody
