11
Oct 18

Patch Tuesday, October 2018 Edition

Microsoft this week released software updates to fix roughly 50 security problems with various versions of its Windows operating system and related software, including one flaw that is already being exploited and another for which exploit code is publicly available.

The zero-day bug — CVE-2018-8453 — affects Windows versions 7, 8.1, 10 and Server 2008, 2012, 2016 and 2019. According to security firm Ivanti, an attacker first needs to log into the operating system, but then can exploit this vulnerability to gain administrator privileges.

Another vulnerability patched on Tuesday — CVE-2018-8423 — was publicly disclosed last month along with sample exploit code. This flaw involves a component shipped on all Windows machines and used by a number of programs, and could be exploited by getting a user to open a specially-crafted file — such as a booby-trapped Microsoft Office document.

KrebsOnSecurity has frequently suggested that Windows users wait a day or two after Microsoft releases monthly security updates before installing the fixes, with the rationale that occasionally buggy patches can cause serious headaches for users who install them before all the kinks are worked out.

This month, Microsoft briefly paused updates for Windows 10 users after many users reported losing all of the files in their “My Documents” folder. The worst part? Rolling back to previous saved versions of Windows prior to the update did not restore the files.

Microsoft appears to have since fixed the issue, but these kinds of incidents illustrate the value of not only waiting a day or two to install updates but also manually backing up your data prior to installing patches (i.e., not just simply counting on Microsoft’s System Restore feature to save the day should things go haywire).

Mercifully, Adobe has spared us an update this month for its Flash Player software, although it has shipped a non-security update for Flash.

For more on this month’s Patch Tuesday batch, check out posts from Ivanti and Qualys.

As always, if you experience any issues installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips. My apologies for the tardiness of this post; I have been traveling in Australia this past week with only sporadic access to the Internet.

Downtown Melbourne, Australia.

Tags: , , ,

30 comments

  1. Thanks Brian, as always.

    For those who may not be familiar with them, two sites with very useful information are Woody Leonhard’s AskWoody (https://www.askwoody.com/) and Martin Brinkmann’s gHacks Tech News (https://www.ghacks.net).

    Those who may be experiencing patching issues, need advice or require help will find AskWoody especially worthwhile; a few months ago, Susan Bradley joined AskWoody as the “Patch Lady” (Susan is a Microsoft Small Business Server and Security MVP).

    Remember: keep smiling; it makes people wonder what you’re up to.

    • I go to askwoody and ghacks at least daily and I am pleased you too find this a good idea. Longtime Windows book author Ed Bott at
      https://www.zdnet.com/blog/bott/ is also useful most of the time for me. I naively install Microsoft Windows 10 and applications new versions faster than I should, but as a Home user I can afford to tolerate the potential consequences of a bad fix, as I prefer to enjoy the feature advantages of new versions of software.

  2. The Sunshine State

    I didn’t have any issues installing Windows 10 1809

  3. A little curiosity for you guys. I have kept an old XP SP3 system updated using the XP Embedded updates downloaded from the Microsoft Updates Catalog. The system runs on old hardware, an AMD Athlon XP 3000+ which does not support SSE2 instructions. Up to and including August 2018 the security updates ran as they should on this old processor. However, in September the updates installed successfully but on restarting I saw messages about illegal instructions. I knew straightaway what the problem was and located the troublesome update (which corrected a GDI vulnerability) to uninstall it and all was well. This month more updates were similarly troublesome and I ended up with only the Internet Explorer 8 update being installed.

    My point is that Microsoft has gone back on a rule that it only issued software for Windows XP and XP Embedded which would run on processors supporting SSE instructions or later. Those who still run POSReady systems on old (pre-SSE2) hardware will be in a bind as support does not end until April 2019. Clearly standards are breaking down in Microsoft so that different teams seem now to be using whatever compilers suit their mood. The GDI and .NET teams have probably changed their compilers whereas the IE teams seemingly have not. A change of culture at Microsoft seems to be indicated.

    I have yet to experience a single effect of malware or other exploits on my three XP systems, two of which have been in use since 2002 and the third since 2006. Since March 2014 I have desisted from using XP for purposes which would risk compromise of confidentiality and privacy.

    • Nice post! I have 2 Windows XP machines one running Athlon XP and another on Pentium II. Both do not have SSE2 support. I started getting exceptions around GDI+ update. I have had other issues around SSE2 support, as more apps start utilizing it. Firefox after 42 ESR does not work anymore without SSE2.

      I can understand improving performance for apps but for an OS to adopt this, this is not right. Essentially what Microsoft has done is broken compatibility with processors which were originally supported. This means that in the future Microsoft can break hardware support in the future as they see fit.

  4. I am always suspicious of Microsoft’s updates but this month I violated my own rule and installed it with no problem. I was lucky! In my defense, I always have a current Recovery disk and all data is backed up on an external hard drive in case there is a problem. It deeply troubling to read that beta testing had not been fully completed and that people lost all of their files. That is an unacceptable lapse by Microsoft. To make sure all continues to be well I update to the latest release after creating a new recovery drive and backing up again to my external hard drive. Microsoft is recommending that people who lost data use Recuva to restore the lost files. I sincerely hope it works. Never again will I install a Microsoft update until I am sure it is safe to do so. It is not worth the risk and way past time for Microsoft to get their act together. Linux is calling.

  5. System Restore does not deal with user data files. It seems that testing of updates is not as thorough as it should be. It surely cannot be beyond the abilities of Microsoft to test the effects on the contents of My Documents by its updates before releasing them.

    Home users of Windows cannot be expected to backup data files before Patch Tuesday. Their updates are usually automated and they will hardly be aware of them. To such users, Windows is a consumer product and is arguably not fit for such purpose.

    I am now going into winter hibernation.

  6. I updated to 1809 when it first came out with no issues. Last night I installed the latest updates and during the process comodo went crazy saying it found a virus in C:\Windows calling it a trojan. After about 10 popups from Comodo, I threw in the towel with windows and installed Linux Mint.
    I think that’s the only good solution at this point as Microsoft is not going to change anytime soon.

  7. My Documents, didn’t know anyone actually stored stuff there.
    Though don’t know what to do as I have about two updates that I can’t install as it puts the computer into a continuous reboot loop.

    • From my last 5 years working between Fortune 50 clients and now at an SMB, I can definitely state that the lions share of users save locally unless they are prevented from doing so. KFR can make it appear as if they don’t save locally but most users process seems to be saving whatever to either desktop or my documents.

  8. Any one having issues with keyboards not working after the Microsoft update?

    • Yes. My keyboard went down too.

      You can try to go into device manager. Find usb serial controlers > all usb root hubs. Go to properties > advanced > Uncheck box ‘allow to be turned off to save power’ for all usb root hubs (if you are using usb keyboard). There is another usb power setting in power options (advanced settings > usb > usb selective suspend), and you can also disable hybrid sleep. That is about all you can do except test the keyboard on other computers or use a system restore point.

  9. Installed Windows October Update on Windows 10 Enterprise on a Dell Latitude E5530, Intel Core i3, with no problems. At work, paused all updates on Windows 10 Pro and Enterprise machines till November to insure that no data loss occurs. To echo some of Chris Pugson’s comments, QA seems to be going down the tubes, and not just at Microsoft (which didn’t have the best track record of nicely QA’d updates, anyhow, over the years)…

  10. initially on offer for Win-7 64-bit installations:

    2018-10 Security and Quality Rollup for .NET Framework (KB4459922)
    2018-10 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4462923)
    Windows Malicious Software Removal Tool x64 – October 2018 (KB890830)

    The first and third were checked; the second (KB4462923) was unchecked, which IMHO was peculiar. I *unchecked* KB4459922 and checked KB4462923 and KB890830 which successfully installed, intending to install KB4459922 subsequently.

    After rebooting, KB4459922 was no longer on offer. Instead, KB3177467 showed up. It addresses “…an issue that was affecting the time it takes to install a new Windows Update.” Read all about it:

    http://support.microsoft.com/kb/3177467

    And you should read all about it BEFORE INSTALLING IT because there may be a subsequent problem (described … with a workaround) when rebooting.

    After successfully installing KB3177467, KB4459922 reappeared and I installed it without incident.

    Worth adding: I haven’t a clue whether my intervention improved or worsened the update process (or was irrelevant).

  11. 2018-10 cumulative security update forma internet explorer must installed manually

  12. So after the updates, my audio doesn’t work. There’s a red X on my volume icon. When I click on it, it opens troubleshooting but can’t find a problem. A couple times troubleshooting did say there was a problem and it fix it, but it didn’t. So I don’t know what is wrong. When I hover over the volume icon, it says no audio output device is installed.

    I’ve tried pretty much everything I can think of to fix it, except for uninstalling like the internet says to do, and reinstalling. Any one else having issues with their audio? And how do I fix this? Thank you!

  13. That skyline seems to disorganized. I want to use a god-sized hedge trimmer to round it out.

  14. Dell XPS13 9350 with Win 10 17134.345. Since update have had two issues: (1) the Intel Audio device disappeared, had to reinstall the default audio to restore sound; (2) old problem where wifi would not reconnect automatically to home network after lifting laptop lid, used to be fixed, now re-appeared.

  15. Nice photo (at the top of the comments section), Brian. Did you take it? What camera/phone?

Leave a comment