Virtual Administrator’s October 2018 Patch Recommendations
This month Microsoft released patches for 49 vulnerabilities with 12 of them rated “Critical”, 34 “Important”, 2 “Moderate” and 1 “Low”.
All October patches have been approved in our patch policy.
This month has a zero-day security flaw CVE-2018-8453 included in Monthly Rollup/Cumulative Update. KB4464330 and KB4462919 was causing BSOD on certain HP devices – See Warning below. Windows 10 October 2018 Update (version 1809) was release last week then pulled last Saturday morning after 3 days. Microsoft claims to have fixed the problem and rolling out to members of the Windows Insider Program first.
1 Microsoft Security Advisories was released – ADV180026 (link below).
Warning: HP Bluescreen issue
HP devices may experience blue screen error WDF_VIOLATION after installing HP keyboard driver (version 11.0.3.1)
This should only be an issue for machines that have already installed KB4464330 or KB4462919. “On October 11, Microsoft removed the driver from Windows Update to reduce the number of devices affected. Additionally, we have released KB 4468304 to remove the incompatible driver from devices pending reboot. HP is actively working on this issue.
Heads Up! Servicing Stack Update (SSU)
Windows 7 Monthly Rollup (KB4462923) may fail with error 0x8000FFFF. The problem is an earlier SSU update is required. Install KB3177467 (September 2016) then restart computer and install KB4457144
Windows 10 1809 “October 2018 Update”
This was released Tuesday (10/2/18) then “paused” on Saturday in response to a data loss issue on some machines. Microsoft is currently testing a fixed version on members of the Windows Insider Program. As with all Windows 10 version upgrades you cannot deny the upgrade as it is not a specific KB. You can defer the upgrade. VA has agent procedure posted on ClubMSP to enable the deferral for 180 days. Script name is: “Windows Creators Defer Update”
Zero Day CVE-2018-8453 included in Monthly Rollup/Cumulative Update
Kaspersky reported this vulnerability which has been exploited by the APT group tracked as FruityArmor
Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance
Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com
Affected software include:
- Internet Explorer
- Microsoft Edge
- Microsoft Windows
- Microsoft Office and Microsoft Office Services and Web Apps
- ChakraCore
- .NET Core
- PowerShell Core
- SQL Server Management Studio
- Microsoft Exchange Server
- Azure IoT Edge
- Hub Device Client SDK for Azure IoT
Microsoft Security Advisories
ADV180026 | Microsoft Office Defense in Depth Update (Published: 10/09/2018)
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180026
Known Issues: KB4459266, KB4462917, KB4462923, KB4092470, KB4461450
KB4459266
Applies to: Microsoft Exchange Server 2013/2016
https://support.microsoft.com/en-us/help/4459266/description-of-the-security-Symptom: When you try to manually install this security update in “normal mode” (not running the update as an administrator) by double-clicking the update file (.msp), some files are not correctly updated. When this issue occurs, you do not receive an error message or any indication that the security update was not correctly installed. Also, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update does not correctly stop certain Exchange-related services.
Workaround:To avoid this issue, run the security update in elevated mode, as an administrator. To do this, right-click the update file, and then click Run as administrator.
KB4462917 (Cumulative Update)
Applies to: Windows 10 Version 1607
https://support.microsoft.com/en-us/help/4462917/windows-10-update-kb4462917
Symptom: After installing this update, installing Window Server 2019 Key Management Service (KMS) host keys (CSVLK) on Window Server 2016 KMS hosts does not work as expected.
Workaround: None. Microsoft is working on a resolution and will provide an update in an upcoming release.
KB4462923 (Monthly Rollup)
Applies to: Windows 7 SP1, Windows Server 2008 R2 SP1
https://support.microsoft.com/en-us/help/4462923/windows-7-update-kb4462923
Symptom: After you apply this update, the network interface controller may stop working on some client software configurations. This occurs because of an issue related to a missing file, oem<number>.inf. The exact problematic configurations are currently unknown.
Workaround:
1)To locate the network device, launch devmgmt.msc. It may appear under Other Devices.
2)To automatically rediscover the NIC and install drivers, select Scan for Hardware Changes from the Action menu.
- Alternatively, install the drivers for the network device by right-clicking the device and choosing Update. Then choose Search automatically for updated driver software or Browse my computer for driver software.
Symptom: This update may fail to install with error 0x8000FFFF.
Workaround: Installing KB3177467, the last Servicing Stack Update for Windows 7 and Windows Server 2008 R2 SP1, will resolve this issue.
KB4092470
Applies to: Microsoft SharePoint Server 2013 Service Pack 1
Symptom: When you try to move document sets to a records center after applying KB4092470, you may see an unexpected error.
Workaround:To resolve this issue, install the October 9, 2018, cumulative update for SharePoint Enterprise Server 2013 (KB4461458).
KB4461450
Applies to: Microsoft SharePoint Server 2013 Service Pack 1
Symptom: When you try to move document sets to a records center after applying KB4092470, you may see an unexpected error.
Workaround:To resolve this issue, install the October 9, 2018, cumulative update for SharePoint Enterprise Server 2013 (KB4461458).
Monthly Rollup/Security Only/Windows 10/Server 2016 KBs
Links are https://support.microsoft.com/en-us/help/####### with the KB number only.
Security and Quality Rollup
- KB4462923 – Windows 7, Windows Server 2008 R2
- KB4462926 – Windows 8.1, Windows Server 2012 R2
- KB4462929 – Windows Server 2012
- KB4463097 – Windows Server 2008
Security Only Update
- KB4462915 – Windows 7, Windows Server 2008 R2
- KB4462941 – Windows 8.1, Windows Server 2012 R2
- KB4462931 – Windows Server 2012
- KB4463104 – Windows Server 2008
Cumulative Update for Windows 10
- KB4462922 – Original release version 1507 (OS Build 10240)
- None – Version 1511 (OS Build 10586)
- KB4462917 – Version 1607 “Anniversary Update” (OS Build 14393)
- KB4462937 – Version 1703 “Creators Update” (OS Build 15063)
- KB4462918 – Version 1709 “Fall Creators Update” (OS Build 16299)
- KB4462919 – Version 1803 “Spring Creators Update” (OS Build 17134)
- KB4464330 – Version 1809 “October 2018 Update” (OS Build 17763)
Note: Server 2016 uses the same KB as Windows 10 Version 1607
KB4462949 – Cumulative Security Update for Internet Explorer 9/10/11
This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.
.NET Framework
Security and Quality Rollup (Security Only) for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2
- KB4459922 – Windows 7, Windows Server 2008 R2
- KB4459924 – Windows 8.1, Windows Server 2012 R2
- KB4459923 – Windows Server 2012
- KB4459925 – Windows Server 2008 (.NET Framework 2.0, 3.0, 4.5.2, 4.6)
KB4462930 – Security Update for Adobe Flash Player
October 2018 updates for Microsoft Office
https://support.microsoft.com/en-us/help/4464656/october-2018-updates-for-microsoft-office
Notable CVEs
CVE-2018-8453 | Win32k Elevation of Privilege Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8453
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
The update addresses this vulnerability by correcting how Win32k handles objects in memory.
CVE-2018-8423 | Microsoft JET Database Engine Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8423
A remote code execution vulnerability exists in the Microsoft JET Database Engine.
An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
To exploit the vulnerability, a user must open/import a specially crafted Microsoft JET Database Engine file. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user, and then convince the user to open the file.
The security update addresses the vulnerability by modifying how the Microsoft JET Database Engine handles objects in memory.
