Newsletter Archives

• MS-DEFCON 3: September patches are as baked as they’re gonna get

  Posted on October 1, 2018 at 10:36 CDT by woody • Comment in the Forums

  We had quite a ride with the last-minute patches to Win10 1803 and 1709. I think I’ve found out why MS released that huge bunch of kitchen sink fixes late in the month.

  Full details in Computerworld Woody on Windows.

  We’re now at MS-DEFCON 3: Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems.

  Windows Patches/Security MS-DEFCON 3, September 2018 Black Tuesday

• The Windows ALPC security hole CVE-2018-8440 is now readily exploitable

  Posted on September 22, 2018 at 06:44 CDT by woody • Comment in the Forums

  One of this month’s security patches has taken on a more prominent position.

  CVE-2018-8440 — the ALPC privilege escalation bug — has just been added to the Metasploit trove.

  No, the sky isn’t falling. Yes, you’re going to see the ALPC exploit more frequently.

  Remember, CVE-2018-8440 is a privilege escalation security hole, which means it only comes into play if your machine is already running an invasive program.

  This just turns up the pressure to get this month’s patches installed. Which means I’m looking hard at the MS-DEFCON 2 setting, and cursing the fickle Win10 cumulative update gods, who gave us three cumulative updates in the past 10 days. The third of which may well be malfunctioning and pulled already.

  No rest for the weary.

  Windows Patches/Security ALPC, CVE-2018-8440, September 2018 Black Tuesday

• Patch Alert: September patches look good — but why the out-of-band stuff?

  Posted on September 20, 2018 at 08:21 CDT by woody • Comment in the Forums

  Hard to believe after the July mayhem, but this month it looks like the patches are quite benign. A bit mixed up, perhaps, but there are no loud screams of pain.

  Computerworld Woody on Windows.

  Windows Patches/Security September 2018 Black Tuesday

• FragmentSmack a real concern for servers — this month’s patches guard against it

  Posted on September 16, 2018 at 08:50 CDT by woody • Comment in the Forums

  If you’re running a Windows server, take note. FragmentSmack is a real DDoS vulnerability that’s slowly becoming more prevalent.

  Catalin Cimpanu at ZDNet says:

  While desktop users will rarely see a FragmentSmack attack, admins of Windows-based servers should apply the latest fixes at their earliest convenience.

  The “latest fixes” are the September cumulative updates and Monthly Rollups for all supported versions of Windows and Server.

   

  Windows Patches/Security FragmentSmack, September 2018 Black Tuesday

• Yes, we’re still at MS-DEFCON 2 – No need to install any September updates

  Posted on September 14, 2018 at 08:10 CDT by woody • Comment in the Forums

  Yes, I read the email you probably read this morning. No, I don’t see any reason to recommend that most people update their machines — not yet.

  Here are the two reasons given for rushing to install the September patches:

  CVE-2018-8440 – Windows ALPC Elevation of Privilege Vulnerability – included in all of this month’s Windows patches

  This is the zero-day exploit for Task Scheduler revealed on Twitter by @SandboxEscaper, who kindly provided links to working exploit code. Nice guy. Er, gal. Kevin Beaumont has a good overview here.

  Should you be rushing out to install all of this month’s Windows patches because of ALPC? I don’t think so. First, it’s a privilege execution exploit — in plain English, that means it’s only usable if a miscreant already has access to your computer. Second, the initial round of infections were, according to Ionut Ilascu at Bleepingcomputer:

  a small number of victims in the following countries: Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States, and Ukraine.

  Yes, you’ll need to patch it eventually. Right now, it’s not a huge threat.

  CVE-2018-8475 – Windows Remote Code Execution Vulnerability

  This one’s a more immediate challenge. Microsoft doesn’t give any details that I can find, but apparently somebody could take over your computer if you view an image. What isn’t clear is whether the image can take over if it’s viewed through a browser and, if so, which ones. That’s a browse-and-own security hole and that makes it a biggie. But.

  Microsoft’s security advisory says specifically:

  To exploit the vulnerability, an attacker would have to convince a user to download an image file.

  which doesn’t sound like browse-and-own to me.

  Dustin Childs, one of my favorite analysts, goes on to say:

  Microsoft provides no information on where this is public

  Microsoft lists the security hole as “Disclosed” but not “Exploited.” Symantec hasn’t found any exploits.

  That leads me to believe that it isn’t likely to be widespread in the near term. Again, yes, you’ll have to patch eventually.

  There are also security problems with Hyper-V (“a user on a guest virtual machine could execute code on the underlying hypervisor OS” per Childs), but that probably doesn’t matter much to you.

  Looking at the rest of the crop, I don’t see any overwhelming reason to get patched immediately.

  Given the current precarious state of this month’s patches — Intuit still doesn’t have a fix (update: it wasn’t the patches’ fault), there’s an unexplained dropped patch, Win7 is still kicking out error 0x8000FFF, Win10 1803 can get doubly-patched or not patched at all — there’s plenty of reason to stand pat. And the patches have only been in circulation for three days.

  Are exploits “likely?” Sure, some day. But not now. Patience, grasshopper.

  Susan Bradley’s newly updated Master Patch List recommends that you wait, as well.

  Windows Patches/Security September 2018 Black Tuesday

• September Windows/Office security patches

  Posted on September 11, 2018 at 12:29 CDT by woody • Comment in the Forums

  Martin Brinkmann has his usual comprehensive (and fast!) list on ghacks.net. Summary:

  Operating System Distribution

  • Windows 7: 18 vulnerabilities of which 3 are critical and 15 are important.
  • Windows 8.1: 22 vulnerabilities of which 4 are critical and 18 are important.
  • Windows 10 version 1703: 25 vulnerabilities of which 5 are critical and 18 are important. (extra critical is CVE-2018-0965)
  • Windows 10 version 1709: 24 vulnerabilities of which 4 are critical and 20 are important.
  • Windows 10 version 1803: 29 vulnerabilities of which 5 are critical and 24 are important. (extra critical is CVE-2018-0965)

  Windows Server products

  • Windows Server 2008 R2: 18 vulnerabilities of which 3 are critical and 15 are important.
  • Windows Server 2012 R2: 22 vulnerabilities of which 4 are critical and 18 are important.
  • Windows Server 2016: 25 vulnerabilities of which 5 are critical and 20 are important.

  Other Microsoft Products

  • Internet Explorer 11: 6 vulnerabilities, 3 critical, 3 important
  • Microsoft Edge: 13 vulnerabilities, 7 critical, 6 important

  I see 127 individual patches in the Microsoft Update Catalog.

  47 entries in the Security Updates Summary.

  Office 365 has a new Click to Run version. For those of you with installed (“MSI”) versions of Office, there’s a long list of new patches which includes 2010, 2013, 2016, Office viewers and Share Point Servers. (Thx @PKCano.)

  Official Release notes include two new advisories.

  There’s a servicing stack update for Win10 1803. If you install updates through Windows Update, that doesn’t matter — but if you are manually downloading and installing 1803 updates, be sure to snag KB 4456655 first.

  UPDATE: The SANS Internet Storm Center list is up.

  Windows Patches/Security September 2018 Black Tuesday

• MS-DEFCON 2: Time to make sure Windows Automatic Update’s turned off

  Posted on September 10, 2018 at 07:29 CDT by woody • Comment in the Forums

  Computerworld Woody on Windows.

  Windows Patches/Security MS-DEFCON 2, September 2018 Black Tuesday

• September 2018 non-Security Office Update Release

  Posted on September 4, 2018 at 13:05 CDT by PKCano • Comment in the Forums

  September 2018 Office non-security updates have been released by Microsoft on September 4, 2018.

  These are September Office updates. They will not be included in the DEFCON approval for the July/August patches. Unless you have a specific need to install them, you should wait until Susan Bradley (Patch Lady) approves them and any problems have been reported.

  Office 2010

  Update for Microsoft Office 2010 (KB4092436) 

  Office 2013

  Update for Microsoft Office 2013 (KB4022233)
  Update for Microsoft Office 2013 (KB4092469)Update for Skype for Business 2015 (KB4092457)

  Office 2016
  Update for Microsoft Office 2016 (KB3114853)
  Update for Microsoft Office 2016 (KB4011670)
  Update for Microsoft Office 2016 (KB4018371)
  Update for Microsoft Office 2016 (KB4022215)
  Update for Microsoft Office 2016 (KB4032237)
  Update for Microsoft Office 2016 (KB4092449)
  Update for Microsoft Office 2016 (KB4092461)
  Update for Microsoft Outlook 2016 (KB4092462)
  Update for Microsoft PowerPoint 2016 (KB4092446)

  There were no non-security listings  for Office 2007 (which is out of support).
  Office 365 and C2R are not included.
  Security updates for all supported versions of Microsoft Office are released on the second Tuesday of the month (Patch Tuesday).

  Office Patches/Security Office 2010, Office 2016, Office updates, September 2018 Black Tuesday, September 2018 Office updates. Office 2013