November 14, 2018

Microsoft on Tuesday released 16 software updates to fix more than 60 security holes in various flavors of Windows and other Microsoft products. Adobe also has security patches available for Flash Player, Acrobat and Reader users.

As per usual, most of the critical flaws — those that can be exploited by malware or miscreants without any help from users — reside in Microsoft’s Web browsers Edge and Internet Explorer.

This week’s patch batch addresses two flaws of particular urgency: One is a zero-day vulnerability (CVE-2018-8589) that is already being exploited to compromise Windows 7 and Server 2008 systems.

The other is a publicly disclosed bug in Microsoft’s Bitlocker encryption technology (CVE-2018-8566) that could allow an attacker to get access to encrypted data. One mitigating factor with both security holes is that the attacker would need to be already logged in to the targeted system to exploit them.

Of course, if the target has Adobe Reader or Acrobat installed, it might be easier for attackers to achieve that log in. According to analysis from security vendor Qualys, there is now code publicly available that could force these two products to leak a hash of the user’s Windows password (which could then be cracked with open-source tools). A new update for Acrobat/Reader fixes this bug, and Adobe has published some mitigation suggestions as well.

In addition, Adobe pushed out a security update for Windows, Mac, Linux and Chrome versions of Flash Player. The update fixes just one vulnerability in Flash, but I’m sure most of us would rather Flash died off completely already. Adobe said it plans to end support for the plugin in 2020. Google Chrome is now making users explicitly enable Flash every time they want to use it, and by the summer of 2019 it will make users go into their settings to enable it every time they want to run it.

KrebsOnSecurity has frequently suggested that Windows users wait a day or two after Microsoft releases monthly security updates before installing the fixes, with the rationale that occasionally buggy patches can cause serious headaches for users who install them before all the kinks are worked out.

Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.

In either case, it’s a good idea to get in the habit of backing up your data before installing Windows updates. Unlike last month, when many Windows users saw the contents of their “My Documents” folder erased by a buggy update, I’m not aware of any major issues this time around.

If you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.


29 thoughts on “Patch Tuesday, November 2018 Edition

  1. Mike Miller

    WHAT – “Unlike last month, when many Windows users saw the contents of their “My Documents” folder erased by a buggy update”.

    I don’t recall you (or anyone else) writing anything about this. If it was anything but very rare, might it be worth a post/article specifically about this? (I know good IT hygiene is to back up frequently and before software changes/updates, but still…..)

    1. Me

      That was not the monthly patches but the new feature pack / every 6 month feature pack update. It was Windows 10 1809 (1810 or whatever they are officially calling it) release that did that.

  2. Scott

    I’ve still not seen a good explanation about WHY it happened. I updated to 1809 and have several GBs of data in My Documents, and nothing was affected, thank goodness. So, what was the differentiating factors that caused the bug? I’ve read all the articles talking about how/why MS’s QA missed the issue, which was oft reported through their early adopters feedback program. But, never a good explanation of how the bug was triggered.

  3. Priscilla

    My Outlook stopped working yesterday and now my Adobe Photoshop won’t open. This is ridiculous!!!! I deleted the updates but no luck. Last update lost files and now this. Can’t believe this!!!

    1. Dave

      You might try system restore to an earlier date and see if that works or re-install Outlook and Photoshop. I don’t use Outlook, but my Photoshop opens fine.

  4. Bob S.

    In regards to the “Scott” (November 14, 2018 at 9:55am) question/comment about why the permanent file-deletion debacle occurred with the Windows 10 1809 October issue of the bi-annual “feature update.”

    Steve Gibson — on the Oct 16, 2018, episode #685 ( https://www.grc.com/sn/sn-685.htm ) of his long-running. weekly ‘Security Now!’ podcast — went into the details.

    The problem had to do with a specific issue involving “Known Folder Redirection”. (Just search that term within the above ‘SN’ URL page…which takes you to the full online transcript page of that episode of ‘Security Now!’) Apparently, the issue “only” affected those who had moved, or redirected, their documents (photos; etc.) folder.

    You can check out more of Steve Gibson’s ‘Security Now!’ episodes via Steve Gibson’s SN archive ( https://www.grc.com/securitynow.htm ). Alternately, you can also watch them via the online archive ( https://www.youtube.com/user/TWiTSecurityNow/videos ).

    BTW…Brian Krebs was previously a featured guest on “Security Now 392: The Internet Underworld with Brian Krebs” back on Feb. 20, 2013. You can watch that episode via ( https://www.youtube.com/watch?v=wYW34hICf4k ).

    Bob S.

    [P.S.: Thanks to Brian, Steve, et al, who take the enormous amount of time and effort to delve into the deep end (bottomless pit?) of the seemingly never-ending computer security issues.]

    1. roger tubby

      Bob S – Thanks for that link to Steve Gibson’s Security Now blog.

      Steve has long been a champion of telling us how things work (and frequently don’t). I forget to check in to see what’s happening in the world of GRC so I’ll now add it to my expanding list of RSS feeds.

  5. Frank

    An old time Windows Guru, Woody Leonhard,who writes for Computer World and also has a blog named Ask Woody, has a system for letting users know when it is safe to install new Windows updates. I never install any updates until he says it’s OK and safe to do so. Right now he says do not install Microsoft’s November security updates.
    https://www.askwoody.com/

  6. Kevin

    Re the Windows 10 updates, and the release of the new Windows 10 fixed upgrade, did Tuesday’s updates fix the issues that were in the original installation of the latest Windows 10? Or, do we who had installed that need to l completely reinstall the OS?!

  7. ghost hen

    remember forever install these patches: 2018-11 cumulative .NET framework and 2018-11 montlhy security and quality rollup and next the 2018 security update for i.e 11 for best results.

  8. ale

    if you’ve not removed Flash player, Java, and Silverlight, you deserved to get hacked! stop updating these programs, delete them. The bad guys cant exploit them if their not installed.

  9. John Blue

    If you are still in need of flash you need to get a different provider. HTML5 I believe it is called. Get with the program. My web browser Firefox 63.0.1 64 bit does pdf, even though Windows 10 won’t let me change it to default for pdf files. I refuse to live on the Edge.

  10. Godel

    Apparently Windows 10 1809 is still racked with serious bugs. See the latest askwoody.com.

  11. Jack Goff

    I updated my Windows 10, and now it’s snowing outside. Microsoft sucks.

    1. Readership1

      In my decades of using Windows, I’ve never been harassed by lions. Obviously related.

      🙂

  12. Melissa Caron

    MAY DAY MAY DAY! I’m an insurance agency owner and have windows 7 on my desktop HP. The last update 11-14-18 has a bug that causes onscreen keyboard to stay on EVEN AFTER CHECKING EASE OF ACCESS SETTINGS. They are all off. I have also unplugged and replugged..restarted my USB keyboard to no avail. Please help. I have a ton of work..this is unacceptable from microsoft.

  13. Yvonne Raiwet

    Since one update or another, my sleep function doesn’t work. When will that be fixed?

  14. Sonnie

    I’ve noticed that Skype for Business after patching seems to have broken the ability to send emoticons.

  15. Daniel Bourque

    About the auto-reboot of WindowsUpgrade, it’s possible to block it by using Reboot-Blocker ( https://www.udse.de/en/windows-10-reboot-blocker )

    This install a service to change the Active hours period you can set to prevent a reboot while you are working (max period of 18 hours). The service change the Active Hour Period every hour so Windows is never allowed to reboot.

  16. Readership1

    In the latest update on Windows 10, I can no longer open the dialogue box for printer preferences, when attempting to print stuff.

    Exception protection fault error. 🙁

    This sucks, because I often need to switch from printing high quality color to draft black-and-white.

    I use an HP photosmart printer, with the HP drivers they last updated in 2017.

  17. JimV

    Yet another critical security update for Flash, bringing it to v32.0.0.101.

Comments are closed.