Virtual Administrator’s September 2018 Patch Recommendations

This month Microsoft released patches for 61 vulnerabilities with 17 of them rated “Critical”, 43 “Important” and 1 “Moderate”.

All September patches have been approved in our patch policy.

This month includes a zero-day security flaw which is being actively exploited (CVE-2018-8440). Two Remote Code Execution (RCE) and Hyper-V vulnerabilities are a top priority this month, as well as, a Device Guard vulnerability.  There was an issue with Intuit Tax Software which has been resolved.  Problems with the Servicing Stack Update (SSU) can cause issues with Windows 7 Monthly Rollup and Windows 10 1803 Cumulative Update. Finally “FragmentSmack” is a denial-of-service against the IP stack with no patch yet.

2 Microsoft Security Advisories were released. ADV180022 and ADV180023 (links below).

 

Heads Up! Servicing Stack Update (SSU)

Windows 7 Monthly Rollup (KB4457144) may fail with error 0x8000FFFF.  The problem is an earlier SSU update is required. Install KB3177467 (September 2016) then restart computer and install KB4457144

 

Windows 10 1803 Cumulative Update (KB4457128) installs twice or fails to install. A new SSU KB4456655 for Windows 10 Version 1803 was released this month. KB4457128 requires KB4456655. This should only be a problem if you install KB4457128 by itself.

 

Important Updates:

Zero Day ALPC Elevation of Privilege Vulnerability (CVE-2018-8440)

Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker could run arbitrary code in the security context of the local system.

Patch is included in the Monthly Rollup/Cumulative Update

 

Remote Code Execution (RCE) (CVE-2018-8475)

Attacker could execute code on a target system if they can convince a user to download an image file.

Patch is included in the Monthly Rollup/Cumulative Update

 

Remote Code Execution (RCE) (CVE-2018-8457)

Scripting engine memory corruption issue that could be exploited through a malicious Web site or Office file.

Patch is included in the Monthly Rollup/Cumulative Update

 

Hyper-V Remote Code Execution Vulnerability (CVE-2018-0965 and CVE-2018-8439 )

To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.

Patch is included in the Monthly Rollup/Cumulative Update

 

Device Guard Security Feature Bypass Vulnerability (CVE-2018-8449)

Attacker could make an unsigned file appear to be signed.

Patch is included in the Monthly Rollup/Cumulative Update

 

Warning: FragmentSmack (ADV180022/CVE-2018-5391)

This is a denial of service vulnerability. Microsoft is working a patch and has posted guidance here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180022

 

Resolved: Intuit Tax Software ProSeries/Lacerte/PTO- Sign-in completion failed

https://accountants-community.intuit.com/announcements/1751170&src=lscipa

Resolution:  On 9/13/18, some ProSeries and Lacerte customers experienced issues logging into the program. Our initial investigation lead us to believe it was an issue with recent Windows updates.  This issue has been resolved and if you have any Windows updates needing to be installed, they can be installed now.

 

Security Update Guide

https://portal.msrc.microsoft.com/en-us/security-guidance

 

Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com

 

Affected software include:

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • ChakraCore
  • Adobe Flash Player
  • .NET Framework
  • Microsoft.Data.OData
  • ASP.NET

 

Microsoft Security Advisories

ADV180022 | Windows Denial of Service Vulnerability (Published: 09/11/2018)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180022

 

ADV180023 | September 2018 Adobe Flash Security Update (Published: 09/11/2018)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180023

 

Known Issues: KB4457128, KB4457144, KB4458321

 

KB4457128 (Cumulative Update)

Applies to: Windows 10, version 1803

https://support.microsoft.com/en-us/help/4457128/windows-10-update-kb4457128

Although listed as having Known Issues on the main page, the KB’s detail page shows “Microsoft is not currently aware of any issues with this update.”  I’m guessing the Known Issue is the Servicing Stack Update (SSU) problem where 4457128 installs twice or won’t install. The fix is to install the new SSU KB4456655 first.

 

KB4457144 (Monthly Rollup)

Applies to: Windows 7 SP1, Windows Server 2008 R2 SP1

https://support.microsoft.com/en-us/help/4457144/windows-7-update-kb4457144

Symptom: After you apply this update, the network interface controller may stop working on some client software configurations. This occurs because of an issue related to a missing file, oem<number>.inf. The exact problematic configurations are currently unknown.

Workaround:

  1. To locate the network device, launch devmgmt.msc. It may appear under Other Devices.
  2. To automatically rediscover the NIC and install drivers, select Scan for Hardware Changes from the Action menu.
  1. Alternatively, install the drivers for the network device by right-clicking the device and choosing Update. Then choose Search automatically for updated driver software or Browse my computer for driver software.

Symptom: This update may fail to install with error 0x8000FFFF.

Workaround: Installing KB3177467, the last Servicing Stack Update for Windows 7 and Windows Server 2008 R2 SP1, will resolve this issue.

 

KB4458321 Update Rollup 24 for Exchange Server 2010 Service Pack 3

Applies to: Exchange Server 2010 Service Pack 3

https://support.microsoft.com/en-us/help/4458321/update-rollup-24-for-exchange-server-2010-service-pack-3

Symptom: When you try to manually install this security update in Normal mode (not running the update as an administrator) and by double-clicking the update file (.msp), some files are not correctly updated.

Workaround: To avoid this issue, run the security update in elevated mode, as an administrator.

 

Monthly Rollup/Security Only/Windows 10/Server 2016 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

 

Security and Quality Rollup

KB4457144 – Windows 7, Windows Server 2008 R2

KB4457129 – Windows 8.1, Windows Server 2012 R2

KB4457135 – Windows Server 2012

KB4458010 – Windows Server 2008

 

Security Only Update

KB4457145 – Windows 7, Windows Server 2008 R2

KB4457143 – Windows 8.1, Windows Server 2012 R2

KB4457140 – Windows Server 2012

KB4457984 – Windows Server 2008

 

Cumulative Update for Windows 10

KB4457132 – Original release version 1507 (OS Build 10240)

None – Version 1511 (OS Build 10586)

KB4457131 – Version 1607 “Anniversary Update” (OS Build 14393)

KB4457138 – Version 1703 “Creators Update” (OS Build 15063)

KB4457142 – Version 1709 “Fall Creators Update” (OS Build 16299)

KB4457128 – Version 1803 “Spring Creators Update” (OS Build 17134)

 

Note: Server 2016 uses the same KB as Windows 10 Version 1607

 

KB4457426 – Cumulative Security Update for Internet Explorer 9/10/11

This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.

 

.NET Framework

Security and Quality Rollup (Security Only) for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2

KB4457918 (KB4457914)- Windows 7, Windows Server 2008 R2

KB4457920 (KB4457916)- Windows 8.1, Windows Server 2012 R2

KB4457919 (KB4457915)- Windows Server 2012

KB4457921 (KB4457917)- Windows Server 2008 (.NET Framework 2.0, 3.0, 4.5.2, 4.6)

 

KB4457146 – Security Update for Adobe Flash Player

 

September 2018 updates for Microsoft Office

https://support.microsoft.com/en-us/help/4459402/september-2018-updates-for-microsoft-office

 

Notable CVEs

 

CVE-2018-8409 | System.IO.Pipelines Denial of Service

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8409

A denial of service vulnerability exists when System.IO.Pipelines improperly handles requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an application that is leveraging System.IO.Pipelines. The vulnerability can be exploited remotely, without authentication.

 

CVE-2018-8440 | Windows ALPC Elevation of Privilege Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8440

An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC).

An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system.

 

CVE-2018-8449 | Device Guard Security Feature Bypass Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8449

A security feature bypass exists when Device Guard incorrectly validates an untrusted file. An attacker who successfully exploited this vulnerability could make an unsigned file appear to be signed.

 

CVE-2018-8457 | Scripting Engine Memory Corruption Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8457

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.

 

CVE-2018-8475 | Windows Remote Code Execution Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8475

A remote code execution vulnerability exists when Windows does not properly handle specially crafted image files. An attacker who successfully exploited the vulnerability could execute arbitrary code.

To exploit the vulnerability, an attacker would have to convince a user to download an image file.