Adobe and Microsoft each released security updates for their software on Tuesday. Adobe plugged five security holes in its Flash Player browser plugin. Microsoft pushed 17 updates to fix at least 60 vulnerabilities in Windows and other software, including two “zero-day” flaws that attackers were already exploiting before Microsoft issued patches to fix them.
According to security firm Ivanti, the first of the two zero-day flaws (CVE-2018-8373) is a critical flaw in Internet Explorer that attackers could use to foist malware on IE users who browse to hacked or booby-trapped sites. The other zero-day is a bug (CVE-2018-8414) in the Windows 10 shell that could allow an attacker to run code of his choice.
Microsoft also patched more variants of the Meltdown/Spectre memory vulnerabilities, collectively dubbed “Foreshadow” by a team of researchers who discovered and reported the Intel-based flaws. For more information about how Foreshadow works, check out their academic paper (PDF), and/or the video below. Microsoft’s analysis is here.
One nifty little bug fixed in this patch batch is CVE-2018-8345. It addresses a problem in the way Windows handles shortcut files; ending in the “.lnk” extension, shortcut files are Windows components that link (hence the “lnk” extension) easy-to-recognize icons to specific executable programs, and are typically placed on the user’s Desktop or Start Menu.
That description of a shortcut file was taken verbatim from the first widely read report on what would later be dubbed the Stuxnet worm, which also employed an exploit for a weakness in the way Windows handled shortcut (.lnk) files. According to security firm Qualys, this patch should be prioritized for both workstations and servers, as the user does not need to click the file to exploit. “Simply viewing a malicious LNK file can execute code as the logged-in user,” Qualys’ Jimmy Graham wrote.
Not infrequently, Redmond ships updates that end up causing stability issues for some users, and it doesn’t hurt to wait a day or two before seeing if any major problems are reported with new updates before installing them. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.
It’s a good idea to get in the habit of backing up your computer before applying monthly updates from Microsoft. Windows has some built-in tools that can help recover from bad patches, but restoring the system to a backup image taken just before installing updates is often much less hassle and an added peace of mind while you’re sitting there praying for the machine to reboot successfully after patching.
Adobe’s Flash update brings the program to v. 30.0.0.154 for Windows, macOS, Chrome and Linux. Most readers here know how I feel about Flash, which is a major security liability and a frequent target of browser-based attacks. The updates from Microsoft include these Flash fixes for IE, and Google Chrome has already pushed an update to address these five Flash flaws (although a browser restart may be needed).
But seriously, if you don’t have a specific need for Flash, just disable it already. Chrome is set to ask before playing Flash objects, but disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.
By default, Mozilla Firefox on Windows computers with Flash installed runs Flash in a “protected mode,” which prompts the user to decide if they want to enable the plugin before Flash content runs on a Web site.
Adobe also released security updates for its PDF Reader and Acrobat products.
As always, please leave a note in the comments below if you experience any problems installing any of these updates.
August 2018 – Microsoft Patch Tuesday
https://techtalk.gfi.com/august-2018-microsoft-patch-tuesday/
Brian: Love your work. I’d like to give you a piece of my mind about my peace of mind. 😉
Awesome tool from Morphus Labs for making (more) sense of Patch Tuesday:
https://patchtuesdaydashboard.com/
Not bad – any idea how they compiled the data? Does MS offer an API?
See https://morphuslabs.com/analyzing-microsoft-patch-tuesday-using-charts-and-indicators-13b796933c22
Heads up too, windows server patches from last cycle were screwing up exchange hub transports, creating some sorta race condition. I believe the fix is probably in this months server patches. Prior to this patch, the fix was in the “preview” cumulative patch.
MS has documentation on this if you encounter it.
https://blogs.technet.microsoft.com/exchange/2018/07/16/issue-with-july-updates-for-windows-on-an-exchange-server/
Your site is always wonderful, Brian, thanks muchly.
Re: Adobe Acrobat* patches.
I’m starting to worry about PDF attacks via URL or JavaScript or some undocumented form of active content that Adobe has squirreled away. Have you seen or heard anything about this?
So far I’m thinking forcing gateway conversion of PDFs to the PDF-A archive format — which is an ISO standard, and doesn’t allow scripting — might be a way to limit damage from Adobe’s infamous security model.
(PS: You were cited twice in Bruce Schneier’s Crypto-gram this month. Good on ya!)
I had to study the PDF spec for work (ISO and Adobe extensions). I’m thinking about creating a “safe” PDF viewer that extracts text and minimal display information (optionally images). I think there may be a demand.
BTW I don’t consider the ISO spec to be safe either. Just look at section 12.6.4.5 Launch Actions for one of many examples:
“A launch action launches an application or opens or prints a document. Table 203 shows the action dictionary
entries specific to this type of action.
The optional Win, Mac, and Unix entries allow the action dictionary to include platform-specific parameters for
launching the designated application. If no such entry is present for the given platform, the F entry shall be
used instead.”
Related both to “security” and “Windows Updates”, starting mid-July 2018, daily Microsoft Security Essentials definition updates swelled significantly from rarely more than 1 or 2 MB to frequently 30 or 40 MB; further, in early July 2018, the “Importance” of these updates changed from “Optional” to “Recommended”. Did new definitions spike by more than an order of magnitude? Are we 10 times safer? When bandwidth is limited this is more than idle curiosity. Insights / wisdom from the commentariat?
I was using the Tools to fill in the information into a PDF form with Adobe Acrobat. Last night – prior to patching – I was able to right-click on an entry, change the font size and move the information around in the entry field. Tonight, I can no longer change font size or re-position the information entered.
This update has messed up my mouse.
Two things off-topic that I don’t know where to express:
1- Have you seen a method to catch ATM skimmers (the equipment) has been developed? I’ve read elsewhere but I’d love to read your take on it.
2- Have you moved your advertisements to be served from your own domain/server? My umatrix has only listed (and blocked) Google Analytics and Gravatar from 3rd parties. If you actually did it a HUGE kudos to you.
Is windows 8.1 update addressed?. . Update still fails . .
Now if only MS would use CVE nomenclature in WSUS.
Adobe auto-update worked; no need to do it manually this time.
Oy. The exact opposite has happened with my Windows 7 HP business OS. For both Firefox and Chrome, on the page where I’d ordinarily see that the program’s been updated, there’s a yellow button advising me to update. (I’ve already temporarily allowed flash to operate temporarily). When I click on the button, NOTHING happens. Right clicking the button reveals that it’s not a live link. The install page doesn’t have a link for an update. Is this happening to anyone else?
https://get.adobe.com/flashplayer/about/
FWIW, my machine is partitioned between Linux & Windows. The Adobe update still works for Firefox Linux, so that’s the only browser still running Flash. Since only one regular use website still requires Flash, no burden aytall.
Another mess with Microsoft update.
Will turn off the update feature as I have to spend hours getting settings back to normal to use for all needed applications.
“… while you’re sitting there praying for the machine to reboot successfully after patching”
A near-universal experience these days. It never used to be as bad as this; Microsoft is no longer the reliable software provider it once was. Didn’t they get rid of a whole swathe of Windows devs and testers a while back?
It seems every time Microsoft releases patches to Win10, they break their own Outlook client (2013 – no longer receive outlook.com email).
After 8/16, the old workarounds no longer work.
It seems that the lesson is – if you want to use a microsoft email client on your pc, don’t use microsoft outlook.com email server – find another provider.
How much is this