Update now! Microsoft fixes 49 bugs, 12 are critical

Microsoft’s October Patch Tuesday update made its scheduled appearance yesterday with fixes for 49 security flaws across its family of products, 12 of which are listed as ‘critical’.

Curiously, one of this month’s most interesting flaws hides itself among a further 35 rated merely ‘important’, namely the elevation-of-privilege flaw identified as CVE-2018-8453 affecting all Windows versions.

This is reportedly being exploited by a nation state hacking group nicknamed ‘FruityArmor’ whose highly targeted use of the flaw might explain its slightly lower rating.

A second CVE rated ‘moderate’ that stands out as unusual is CVE-2010-3190, the zombie flaw that refuses to die. A remote code execution (RCE) flaw first revealed eight years ago, this one has had at least two patches since then. Microsoft now says the flaw extends to Exchange Server 2016 too.

Public domain

Three other flaws rated ‘important’ are worth mentioning because they are in the public domain. The standout is CVE-2018-8423, a remote code execution vulnerability in the JET database engine, which means it’s in lots of software including Office. No exploits have been detected but it’s been in the public domain since a security company released details as it passed a 120-day patching deadline last month.

The other two are CVE-2018-8497, an elevation-of-privilege flaw in the Windows kernel, and CVE-2018-8531, a memory corruption issue in the Azure IoT client SDK.

Critical flaws

Twelve here in total, including CVE-2018-8473 and CVE-2018-8509 affecting the Edge browser, and CVE-2018-8460, affecting Internet Explorer (Edge is also impacted by two rated ‘important, CVE-2018-8512 and CVE-2018-8530).

A further four of the critically-rated flaws are memory corruption vulnerabilities in the Chakra scripting engine, while a further two are RCEs in Windows Hyper-V.

Although CVE-2018-8320 is rated ‘Important’ rather than ‘critical’, it fixes an interesting vulnerability in Windows’ DNS Global Blocklist, which could allow an attacker to bypass those restrictions.

Hidden fix

This article started by mentioning 49 security fixes, but you could argue that there’s a quiet 50th in the form of ADV180026, tagged as a Microsoft Office Defence in Depth update. These are a regular feature of Patch Tuesday and seem to implement lower-level programming improvements that reduce the likelihood of future security issues.

In a rare event, October sees no Flash Player fixes – version mends only performance and stability issues.

Windows 10 1809 rides again

Meanwhile, Microsoft has blamed a side-effect of a feature called “Known Folder Redirection (KFR)” for the file deletion problems some users had with last week’s October 2018 Windows 10 update.

You can read Microsoft’s explanation of how this happened here.  The company’s claim that the issue affected only “one one-hundredth of one percent of version 1809 installs” sounds reassuring until you realise that Windows 10 is on 700 million computers.

The update has now been re-released for users on the Insider programme with general release due to recommence when Microsoft’s (and its users’) nerves settle.