10
Jul 18

Patch Tuesday, July 2018 Edition

Microsoft and Adobe each issued security updates for their products today. Microsoft’s July patch batch includes 14 updates to fix more than 50 security flaws in Windows and associated software. Separately, Adobe has pushed out an update for its Flash Player browser plugin, as well as a monster patch bundle for Adobe Reader/Acrobat.

According to security firm Qualys, all but two of the “critical” fixes in this round of updates apply to vulnerabilities in Microsoft’s browsers — Internet Explorer and Edge. Critical patches mend software flaws that can be exploited remotely by malicious software or bad guys with little to no help from the user, save for perhaps visiting a Web site or opening a booby-trapped link.

Microsoft also patched dangerous vulnerabilities in its .NET Framework (a Windows development platform required by many third-party programs and commonly found on most versions of Windows), as well as Microsoft Office. With both of these weaknesses, an attacker could trick a victim into opening an email that contained a specially crafted Office document which loads malicious code, says Allan Liska, a threat intelligence analyst at Recorded Future.

One of the more nettlesome features of Windows 10 is the operating system by default decides on its own when to install updates, very often shutting down open programs and restarting your PC in the middle of the night to do so unless you change the defaults.

Not infrequently, Redmond ships updates that end up causing stability issues for some users, and it doesn’t hurt to wait a day or two before seeing if any major problems are reported with new updates before installing them. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.

It’s a good idea to get in the habit of backing up your computer before applying monthly updates from Microsoft. Windows has some built-in tools that can help recover from bad patches, but restoring the system to a backup image taken just before installing updates is often much less hassle and an added piece of mind while you’re sitting there praying for the machine to reboot successfully after patching.

As per usual on Microsoft’s Patch Tuesday, Adobe issued an update to its Flash Player browser plugin. The latest update brings Flash to version 30.0.0.134, and patches at least two security vulnerabilities in the program. Microsoft’s patch bundle includes the Flash update as well.

Adobe says the Flash update addresses “critical” security holes, meaning they could be exploited by malware or miscreants to take complete, remote control over vulnerable systems. My standard advice is for readers to kick Flash to the curb, as it’s a buggy program that is a perennial favorite target of malware purveyors.

For readers still unwilling to cut the Flash cord, there are half-measures that work almost as well. Fortunately, disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.

By default, Mozilla Firefox on Windows computers with Flash installed runs Flash in a “protected mode,” which prompts the user to decide if they want to enable the plugin before Flash content runs on a Web site.

Another, perhaps less elegant, alternative to wholesale junking Flash is keeping it installed in a browser that you don’t normally use, and then only using that browser on sites that require Flash.

If you use Adobe Reader or Acrobat to manage PDF documents, you’re probably going to want to update these products soon: Adobe released updates for both today that fix more than 100 security vulnerabilities in the software titles.

Some folks may be unaware that there are other free PDF readers which aren’t quite as bloated as Adobe’s. Whether these alternative readers are more secure is another question; they certainly seem to be updated less frequently, but that may have something to do with the fact that they include far fewer features and likely less overall attack surface area.

I can’t recall the last time I had Adobe Reader installed on anything I own. My preferred PDF reader for Windows is Sumatra PDF, which is comparatively lightweight and very fast. Unfortunately, no matter how many times you change Sumatra to the default PDF reader on Windows 10, the operating system keeps defaulting to opening PDFs in Microsoft Edge.

For a detailed rundown of the individual vulnerabilities patched by Microsoft today, check out the SANS Internet Storm Center, which indexes the fixes by severity, how likely it is that each vulnerability will be exploited anytime soon, and whether specific flaws were publicly disclosed prior to today’s patch release.

According to SANS, at least three of the flaws — CVE-2018-8278, CVE-2018-8313, and CVE-2018-8314 — were previously disclosed publicly, meaning that attackers may have had a head start figuring out how to exploit these flaws for criminal gain.

As always, if you experience any problems installing or downloading these updates, please don’t hesitate to leave a comment. If past Patch Tuesday posts are any indicator, you may even find helpful responses or solutions from other readers experiencing the same issues.

Tags: , , , , , ,

28 comments

  1. The Sunshine State

    If you have problems with Windows 7 updates, which I had today you can use this program to fix it

    http://www.tweaking.com/content/page/windows_repair_all_in_one.html

    • This tool was a life saver on help desk

    • NastyOldAndMean

      I use these tools to solve my Microsoft & Adobe problems:

      https://www.linux.com/
      https://www.ghostscript.com/

      And no, I’m not trying to troll or start a fight:I’ve been using Microsoft/Adobe software since the beginning and I still can’t fathom why we tolerate the level of insecurity built into it, while trying to fix it with a “once a month” patch/crash festival and the odd “emergency patch release” when it’s a particularly egregious problem.

      Haven’t we had enough? Monter aux barricades!

      • But you are trolling, that’s the whole point of your post.

        Ever try rolling Linux workstations out across an enterprise? How about (easily) patching it? What about getting all those business critical applications running on it?

        We all know the issues but I guarantee that if Linux owned most of the corporate workstation environment the hackers would look and work far harder to find exploits.

        Microsoft isn’t the only company to mess up a patch. Such drama.

        • NastyOldAndMean

          Actually, I wasn’t trolling. I really did mean “I’m not trolling or trying to start a fight.”

          I was, am and expect to always be deeply infuriated at the endless security problems out of Microsoft and Adobe. The idea that we are using such insecure software in the enterprise, including critical financial and industrial infrastructure, appalls me.

          I know that the enterprise-level tools and systems for managing an enterprise deployment of linux desktops is Not Yet There, but it could be with the right effort. I also know that just counting CVEs is not necessarily a good index of security: There’s more to it than that.

          BUT we have to find ways to pressure Microsoft and Adobe to do better. All they are doing now is adding features and fluff, and leaving us enterprise users to twist in the wind when the cybercriminals attack.

          We’re going to continue with the pain, costs and lost productivity of Patch Tuesday until we can collectively decide “enough is enough” and get something better. Maybe it’s not linux, but whatever it is we need a competitor to Microsoft and Adobe to force them to pull up their diapers and fix their security.

      • Not to add insult to injury:
        https://www.cvedetails.com/top-50-product-cvssscore-distribution.php
        Please note the most vulnerabilities by product.
        The last time Linux could brag about security in any general sense was 2003.
        Thanks for playing.

        • lies, damned lies and statistics

          “Linux Kernel” has been in development since the 1990s and nearly all security flaws found get a CVE. Also pay attention to the distribution of CVEs. For Linux it’s mostly in the 4-5 range, for Windows it’s weighted towards Critical.

          Adding up all the Windows CVEs post-2000 (not counting programs like IE) in the list you end up with 5314, more than double the number for Linux. This isn’t counting the many vulns that MS patched (or failed to patch) and refused to accept as a vulnerability. It’s worth noting the number 5314 is also deceptive, as there are vulnerabilities shared between multiple versions of Windows.

          Time between creation of the vulnerability, discovery/disclosure and patching is a more important metric than the raw number of CVEs.

          Linux is fairly hard to gauge from a security standpoint because it’s so versatile and has so many different builds. So while there may have been 2000 CVEs, maybe 1/4 of those would have actually affected an individual’s version of Linux. With Windows, you just get what Microsoft gives you, so every CVE affects your build. Linux still has active hardening projects while Windows EMET is EOL.

        • If you’re going to categorize the Linux Kernel as a product, then you should also categorize the NT Kernel as a product and aggregate all of the NT Kernel vulnerabilities across the lifespan and entire product line of Windows since NT 3.51.

          Note also that there are two different “products” for Windows Server 2003 and Windows 2003 Server, and two different “products” for IE and for Internet Explorer.

          This is a very misleading presentation at best, pro-Microsoft, anti-*nix propaganda at worst.

          (*nix including Linux and its distros, Solaris, OS X, Android, etc. – anything Unix or Unix-like.)

  2. > Unfortunately, no matter how many times you change Sumatra to the default PDF reader on Windows 10, the operating system keeps defaulting to opening PDFs in Microsoft Edge.

    it is not so. If you set it up in Windows settings – Apps – Default apps – Chose default apps by file type and select Sumatra for .pdf, everything works as expected. Just to set it up in Sumatra options is not enough.

    • It can also be set from the “How do you want to open this file?” dialog box that appears when choosing to open a .pdf in a different program.

    • Windows 10 absolutely will reset .pdf files to open with Edge, even if set the way you’ve described. I’ve have to reset to Sumatra more times than I can recall no matter what method I use to set it.

  3. The first thing I usually do when I boot my W10 Pro system at night is run updates, mainly to ensure I have the latest Windows security tool updates. I forgot that yesterday was patch Tuesday and when I returned to my machine, all the updates were installing. Fortunately, they all installed properly and I had no problems with the reboot or afterwards.

  4. > Unfortunately, no matter how many times you change Sumatra to the default PDF reader on Windows 10, the operating system keeps defaulting to opening PDFs in Microsoft Edge.

    Got to love the sleep settings. Set it to never, and it keeps changing back to 2 hours…. Really MS? Feeling the love… And by love I mean disdain.

  5. Sumatra has not been updated in nearly 2 years.

    3.1.2 (2016-08-14) Changes in this release:
    fixed issue with icons being purple in latest Windows 10 update
    tell Windows 10 that SumatraPDF can open supported file types

  6. One reason for Adobe Reader is that none of the others display Geospatial PDFs. These display the location coordinates for hikers, etc.

    Avenza Maps is a similar but much more expensive product for Android tablets and phones.

    Neither require internet access to function this way, only a GPS to find the current location.

  7. KB4340558 for .Net framework is broken for Windows 8 and Windows Server 2012. Multiple people have reported this.

    • Thanks for the info Carl. Have you seen any discussion threads about this that we can link to?

    • I wrangle a few machines, all running W-7 (SP-1); one is 32-bit; the others, 64-bit.

      On my July 2018 Patch Tuesday menu, in addition to the usual (Malicious Software Removal Tool; Update for W-7; and 2018-07 Security Monthly Quality Rollup for W-7), KB4340556 (NOTE FINAL DIGIT — it’s prolly specific to W-7) 2018-07 Security and Quality Rollup for .NET Framework was on offer. The versions of .NET Framework affected include v4.7.2 and Sink My Putt!, KB4054530 which installs .NET Framework v4.7.2 was also on the updates menu. To me, it seemed to be appropriate to install the underlying software (in this case, .NET Framework v4.7.2) before trying to update it.

      For me, this meant installing the July 2018 updates in three steps: first, the basic / generic stuff; second, the .NET Framework v4.7.2 package; and last, updating .NET Framework. Each step required rebooting. Bottom line: no problems to report.

      NB: Segregating .NET Framework updates is a precaution I first learned from KoS. It might be prudent to include this advice in Patch Tuesday boilerplate.

  8. I can also confirm the problems with KB4340558.
    Almost all of our win server 2012 r2 machines failed installing this update. 13 of 14…

  9. Taffy from Outlane

    I stopped using Adobe Reader/Acrobat because of the security holes – Flash too of course. But I’ve just found that two sites that I must use have Acrobat Reader DC. I’ve checked with Adobe and it says there are no updates. Do you think that this DC version is safe?

    If you search the MS Community for KB4340558, you’ll find about a dozen or so (so far) threads complaining about the failure.

  10. Under the heading of Microsoft updates / support / security, related to Definition Updates for Microsoft Security Essentials, with no explanation, starting with KB2310138 (Definition 1.271.550.0) installed 7/5/2018, the “Importance” of Definitions Updates changed from “Optional” to “Recommended”.

  11. Also under the heading of Windows security, the end of life date for EMET v5.5 is July 31, 2018. There are no plans to offer support or security patching for EMET after July 31, 2018.

    https://technet.microsoft.com/en-us/security/jj653751

    —–

    That is all.

  12. bashful butcher

    @David (July 11, 2018 at 10:12 am)

    “Sumatra has not been updated in nearly 2 years.”

    IIRC they’ve had alpha and beta versions in addition to stable.

    Just because a project doesn’t release new versions in a timely manner does not always mean the project is dead or somehow weakened. Especially with programs that just work at the current version they are at.

    Should you discover any bugs or desire features you should contact the project leader for any software you feel needs a new version.

    New is not always better.

  13. Have got something in all my desktops and laptops. Have tried a lot of ways, clouds, scanners, usbs…it interrupt internet and rewrites rules moves files and drivers. My desktop for Windows left only with recycle bin no ways to exit. Fixed that boot disappeared tried to restore to factory settings to find a missing partition had to fix prior to restore them right after restore goes right back to it…Laptops were not even turned on previously..help

  14. The Windows updates appear to be downloading and installing but they are all altered prior to being installed. It looks as if all is well but actually nothing is. Everything has been hacked and anything that appears to have capabilities to help? Dos or Windows or boots or drivers are rewritten before they can help! Have actually saw 8 quarantined items removed from quarantine 1×1 while system appeared to be thinking. Then all rules were rewritten totally making program unable to do anything. It it’s own real protection in quarantine. Logs disappear, no internet svc….awful

    • NastyOldAndMean

      Sir,

      When things are that bad, I recommend to wipe everything back to bare metal and reinstall from scratch from known good backups or media.

      If you absolutely have to pull data from the infected systems, take images of the disks, mount them to a clean and well-protected system as data drives and scan with multiple antivirus scanners to clean out malware before pulling any files.

      Check your firewalls and network devices for compromise as well.

      If you have IDS, check the logs for any malicious C&C or data leakage traffic. If you don’t have an IDS, get one. Security Onion works fine and it’s FREE.

      Even doing all of this may not be enough if the malware has successfully inserted itself into firmwares or BIOS hardware. If you reinstall and it comes back, you may need to wipe everything again and then dispose of them, then replace all the hardware.

      And now you know why I run Linux…

Leave a comment