|
There are isolated problems with current patches, but they are well-known and documented on this site. |
Newsletter Archives
-
MS-DEFCON 4: Time to get December patches installed
It looks like the “emergency” Internet Explorer patch is working. As for the Outlook patches for the “operation failed” Rules & Alerts bug, your guess is as good as mine — and Microsoft sure isn’t saying anything.
All in all, it’s time to take your medicine, and get your machine caught up. If you’re helping hapless friends or relatives, and they’re using Win10 Pro or Education, get them going with a 15-day cumulative update lag on the Semi-Annual Channel (explained in the article).
Then, if you have a sec, could you explain to my Sainted Aunt Martha — who paid good money for her Win10 machine — exactly what that last sentence means? Windows is sooooooo user-friendly.
Details Computerworld. Yes, even on the day before Christmas. Woody on Windows
-
Where we stand with the December patches
Things were looking pretty good for This Month in Patches — until two days ago.
Now, it’s anybody’s guess whether there’s a real emergency, or whether the IE patch is just a flash in the pan. But I continue to recommend that you hold off on patching — in spite of “The Sky is Falling — Patch Now” warnings from the usual suspects.
If the sky really does start falling, we’ll let you know here first.
Details in Computerworld Woody on Windows.
-
All I want for Christmas is a patching process that works
Instead, I figure it’ll be a lump of cumulative coal.
Details on this month’s patches and their early foibles in Computerworld Woody on Windows.
-
December 2018 Patch Tuesday is under way
December Updates are rolling out. There are 194 updates listed in the Update Catalog.
Martin Brinkman at ghacks.com has his usual thorough summary.
Operating System Distribution
- Windows 7: 9 vulnerabilities of which 9 are rated important.
- Windows 8.1: 8 vulnerabilities of which 8 are rated important.
- Windows 10 version 1607: 12 vulnerabilities of which 2 are critical and 10 are important
- Windows 10 version 1703: 11 vulnerabilities of which 1 is critical and 10 are important
- Windows 10 version 1709: 12 vulnerabilities of which 2 are critical and 10 are important
- Windows 10 version 1803: 12 vulnerabilities of which 2 are critical and 10 are important
- Windows 10 version 1809: 19 vulnerabilities of which 2 are critical and 17 are important
Windows Server products
- Windows Server 2008 R2: 9 vulnerabilities of which 9 are important.
- Windows Server 2012 R2: 9 vulnerabilities of which 1 is critical and 8 are important.
- Windows Server 2016: 11 vulnerabilities of which 2 are critical and 9 are important.
- Windows Server 2019: 13 vulnerabilities of which 2 are critical and 11 are important.
Other Microsoft Products
- Internet Explorer 11: 4 vulnerability, 1 critical, 3 important
- Microsoft Edge: 5 vulnerabilities, 5 critical
Microsoft Office Security Updates are available. There are updates for Office 2016, Office 2013, Office 2010, the Office Viewers and the SharePoint Servers.
The .NET updates include Security-only updates this month, as well as the usual .NET Rollups.
For those of you with Windows 10, there are new Servicing Stack updates:
Win10 1709 Build 16229.846 KB 4477136
Win10 1803 Build 17134.471 KB 4477137Interesting note from Senior Solutions Architect Allan Liska at Recorded Future:
Microsoft Edge has multiple critical vulnerabilities in its Chakra Core scripting engine. This is the now the 15th straight month that Microsoft has disclosed a vulnerability in the Chakra scripting engine, the last Patch Tuesday without a Chakra disclosure was September of 2017. This month’s vulnerability (CVE-2018-8583 and CVE-2018-8629) is a memory corruption vulnerability that, if exploited, would allow an attacker to execute arbitrary code on the victim’s machine.
Note Microsoftie liminzhu’s post on GitHub:
We’ve seen your questions for ChakraCore and we want to be transparent and honest with the open-source community that has given us so much support. To be compatible with the rest of the platform and reduce interoperability risks, Microsoft Edge will use the V8 engine as part of this change. There is much to build and learn, but we’re excited to take part in the V8 community and start contributing to the project.
ChakraCore is currently being used in various projects outside the browser. So, despite the change of direction for Microsoft Edge, our team will continue supporting ChakraCore.
You have to wonder if ChakraCore’s holiness is a contributing factor in Microsoft’s switch to the Chromium rendering engine.
Dustin Childs has his usual report up on the Zero Day Initiative site. He lists one vulnerability as exploited, but not publicly known, and one as known but not yet actively exploited. All the rest are less serious.
The exploited vulnerability — the 0day — has a familiar pedigree:
For the third month in a row, December has a Win32K (kernel-mode drivers) elevation of privilege vulnerability listed as currently under active attack. And, as was the case in previous months, this bug was reported by researchers at Kaspersky Labs, indicating this bug is being used in malware. Again, this is likely being used in targeted attacks in combination with other bugs.
Translation: Unless you’re protecting enormous state secrets (probably in a language other than English), you’re undoubtedly in the clear. Expect an explanation from Kaspersky shortly.
Chris Hoffman at How-To Geek has a seeker warning:
Microsoft hasn’t learned its lesson. If you click the “Check for Updates” button in the Settings app, Microsoft still considers you a “seeker” and will give you “preview” updates that haven’t gone through the normal testing process.
Of course, to be completely clear, I don’t recommend that you install ANY updates. It’s much too early to know what evil lurks in the hearts of man…
-
MS-DEFCON 2: December Patch Tuesday arrives tomorrow; get your machine locked down
My usual monthly admonition applies: Make sure your computer is locked down, to avoid surprises on Patch Tuesday.
I don’t expect a very big Patch Tuesday, frankly, except for those of you on Win10 1809 (who will get to absorb the contents of last week’s non-security cumulative update). Still, even if it’s a rather uneventful Patch Tuesday, you’d be well advised to turn auto updates off.
Computerworld Woody on Windows.
-
December 2018 non-Security Office Updates have been released
These are December 2018 Office updates. They will not be included in the DEFCON approval for the November patches. Unless you have a specific need to install them, you should wait until Susan Bradley (Patch Lady) approves them and any problems have been reported.
Office 2010
Update for Microsoft Office 2010 (KB4227172)
Update for Microsoft Office 2010 (KB4461579)Office 2013
Update for Microsoft InfoPath 2013 (KB4022181)
Office 2016
Update for Skype for Business 2016 (KB4461545)
Update for Microsoft Project 2016 (KB4461540)There were no non-security listings for Office 2007 (which is out of support).
Office 365 and C2R are not included.
Security updates for all supported versions of Microsoft Office are released on the second Tuesday of the month (Patch Tuesday).
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
What are right steps to move MS 365 Office+OneDrive files from PC to iMac?
by 16 hours, 36 minutes ago
-
How to move existing MS 365 Office with OneDrive files from PC to new iMac
by 16 hours, 40 minutes ago
-
How to move MS 365 files (some on OneDrive) from PC to iMac
by 16 hours, 44 minutes ago
-
Microsoft adding Quick Machine Recovery to Windows 11
by 17 hours, 1 minute ago
-
Microsoft vs Passwords
by 1 hour, 4 minutes ago
-
Windows 11 Insider Preview build 26200.5516 released to DEV
by 20 hours, 49 minutes ago
-
Windows 11 Insider Preview build 26120.3653 (24H2) released to BETA
by 20 hours, 50 minutes ago
-
Two March KB5053606 updates?
by 14 hours, 14 minutes ago
-
MS Edge Not Updating to v134.0.3124.95 (rel. 27-Mar-2025)
by 14 hours, 47 minutes ago
-
Intel® Graphics/Sound Driver updates for 7th-10th Gen Intel® Core™ Processor
by 17 hours, 21 minutes ago
-
Is there a comprehensve way to tranfer ALL current Edge Settings into a new Edge
by 15 hours, 59 minutes ago
-
Transferring ALL info/settings from current Firefox to new computer Firefox
by 15 hours, 42 minutes ago
-
DOGE Wants to Replace SSA 60 Million Line COBOL Codebase in Months
by 11 hours, 14 minutes ago
-
KB5051989 Usb printer Post Ipp
by 1 day, 8 hours ago
-
Removing bypassnro
by 3 hours, 40 minutes ago
-
Up to 30 seconds to show “Recent Topics”
by 13 hours, 27 minutes ago
-
Sound changes after upgrade from W11 23H2
by 1 day, 14 hours ago
-
Windows bug blocks BIOS updates for Lenovo ThinkPad laptops
by 1 day, 18 hours ago
-
O&O Software – ‘World Backup Day’ Sale
by 1 day, 14 hours ago
-
Still version 23H2?
by 1 day, 18 hours ago
-
Ubuntu 25.04 (Plucky Puffin) Beta released
by 2 days ago
-
How to install App Store apps on an external SSD
by 2 days, 1 hour ago
-
Where is Windows going?
by 15 hours, 28 minutes ago
-
Installing Feature Update Windows 11 24H2
by 2 days, 19 hours ago
-
Windows 11 Insider Preview build 27823 released to Canary
by 2 days, 19 hours ago
-
Windows 11 Hotpatch
by 2 days, 2 hours ago
-
System Guard service error still won’t be fixed
by 2 days, 20 hours ago
-
Operation ForumTroll: APT attack with Google Chrome zero-day exploit chain
by 2 days, 14 hours ago
-
Troy Hunt of HaveIBeenPwned Phished
by 9 minutes ago
-
Microsoft Windows security auditing Code 5061
by 3 days, 8 hours ago
Remembering Woody
