Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Yes, we’re still at MS-DEFCON 2 – No need to install any September updates

    Posted on September 14th, 2018 at 08:10 woody Comment on the AskWoody Lounge

    Yes, I read the email you probably read this morning. No, I don’t see any reason to recommend that most people update their machines — not yet.

    Here are the two reasons given for rushing to install the September patches:

    CVE-2018-8440 – Windows ALPC Elevation of Privilege Vulnerability – included in all of this month’s Windows patches

    This is the zero-day exploit for Task Scheduler revealed on Twitter by @SandboxEscaper, who kindly provided links to working exploit code. Nice guy. Er, gal. Kevin Beaumont has a good overview here.

    Should you be rushing out to install all of this month’s Windows patches because of ALPC? I don’t think so. First, it’s a privilege execution exploit — in plain English, that means it’s only usable if a miscreant already has access to your computer. Second, the initial round of infections were, according to Ionut Ilascu at Bleepingcomputer:

    a small number of victims in the following countries: Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States, and Ukraine.

    Yes, you’ll need to patch it eventually. Right now, it’s not a huge threat.

    CVE-2018-8475 – Windows Remote Code Execution Vulnerability

    This one’s a more immediate challenge. Microsoft doesn’t give any details that I can find, but apparently somebody could take over your computer if you view an image. What isn’t clear is whether the image can take over if it’s viewed through a browser and, if so, which ones. That’s a browse-and-own security hole and that makes it a biggie. But.

    Microsoft’s security advisory says specifically:

    To exploit the vulnerability, an attacker would have to convince a user to download an image file.

    which doesn’t sound like browse-and-own to me.

    Dustin Childs, one of my favorite analysts, goes on to say:

    Microsoft provides no information on where this is public

    Microsoft lists the security hole as “Disclosed” but not “Exploited.” Symantec hasn’t found any exploits.

    That leads me to believe that it isn’t likely to be widespread in the near term. Again, yes, you’ll have to patch eventually.

    There are also security problems with Hyper-V (“a user on a guest virtual machine could execute code on the underlying hypervisor OS” per Childs), but that probably doesn’t matter much to you.

    Looking at the rest of the crop, I don’t see any overwhelming reason to get patched immediately.

    Given the current precarious state of this month’s patches — Intuit still doesn’t have a fix (update: it wasn’t the patches’ fault), there’s an unexplained dropped patch, Win7 is still kicking out error 0x8000FFF, Win10 1803 can get doubly-patched or not patched at all — there’s plenty of reason to stand pat. And the patches have only been in circulation for three days.

    Are exploits “likely?” Sure, some day. But not now. Patience, grasshopper.

    Susan Bradley’s newly updated Master Patch List recommends that you wait, as well.

    If that helped, take a second to support AskWoody on Patreon

    Home Forums Yes, we’re still at MS-DEFCON 2 – No need to install any September updates

    This topic contains 21 replies, has 15 voices, and was last updated by  krutzy 1 day, 7 hours ago.

    • Author
      Posts
    • #217520 Reply

      woody
      Da Boss

      Yes, I read the email you probably read this morning. No, I don’t see any reason to recommend that most people update their machines — not yet. Here
      [See the full post at: Yes, we’re still at MS-DEFCON 2 – No need to install any September updates]

      4 users thanked author for this post.
    • #217529 Reply

      Seff
      AskWoody Lounger

      Thanks Woody.

      What email?

      2 users thanked author for this post.
      • #217552 Reply

        woody
        Da Boss

        I’m guessing that you don’t subscribe to Windows Secrets Newsletter.

        • #217559 Reply

          Seff
          AskWoody Lounger

          Ah! My sub expired this month and there’s no longer anything of interest in it to me as Patch Lady Susan is now here and the remaining articles are usually delving into the inner workings of Office and not much else, so I haven’t renewed.

          2 users thanked author for this post.
    • #217536 Reply

      anonymous

      Note on Susan’s patch list,

      Windows 7 – the Monthly Quality Rollup is KB4457144 not 145.

    • #217548 Reply

      TheOwner
      AskWoody Lounger

      New version of file “C:\Windows/system32/netevent.dll” caused wiped all messages in event manager (No MUI file found). My language is Czech, but before this change all events even in English was correct.

      So all events which uses this dll are corrupted (for me is MEIx64 and e1dexpress).

      File date is 12.8.2018 22:28 so i am not sure if is caused by September  or August update.

      Win 7 64 bit

      1 user thanked author for this post.
    • #217570 Reply

      Cybertooth
      AskWoody Lounger

      @woody, you wrote that

      Should you be rushing out to install all of this month’s Windows patches because of ALPC? I don’t think so. First, it’s a privilege execution exploit — in plain English, that means it’s only usable if a miscreant already has access to your computer.

      I’ve seen this kind of vulnerability description before, but I’ve never been entirely clear on what exactly it means when somebody says “if they have access to your computer.” Does it mean if they are sitting at your keyboard, or can it also mean if they have hacked remotely into your computer?

       

      • #217588 Reply

        GoneToPlaid
        AskWoody Lounger

        It would mean either sitting at your keyboard or the latter (remote access gained via a malware exploit). The upshot is that access is access, regardless of how such access was obtained.

        1 user thanked author for this post.
        • #217609 Reply

          Seff
          AskWoody Lounger

          Just a reminder that anyone phoning you and purporting to be from Microsoft or an ISP (often not yours, of course) and claiming to have noted an issue on your computer which they can fix should not be given remote access to it. That is a scam, and the only thing that will be done with your computer is the installation of malware.

          I know it’s obvious, and nobody with the wit to frequent this site would fall for it, but I’ve just read an account in the UK news today of a professional financial adviser who fell for a con trick from financial fraudsters and lost almost a million pounds in the process. These people are trained to be convincing! Fortunately in that case the gang were caught and have been jailed for terms up to 13 years. They took just under 3 million pounds in total, including the life savings of a woman whose mother was struggling with cancer. Exercise caution, and don’t think it can’t happen to you!

          3 users thanked author for this post.
    • #217589 Reply

      honx
      AskWoody Lounger

      This is the zero-day exploit for Task Scheduler revealed on Twitter by @SandboxEscaper

      why do people always have to reveal exploits and security holes so that malware-******** can use it to infect other peoples computers?
      wouldn’t it be enough to report it to microsoft so that they can fix it? no, it has to be public for malware to arise… i don’t get it…

      Edit: Please refer to askwoody-lounge-rules regarding foul language.

    • #217591 Reply

      Rsebas
      AskWoody Lounger

      Regarding KB4457144.  I have a laptop – Windows 7 Home Premium 64bit and a Desktop – Windows 7 Home Premium 32 bit. After installing update KB4457144 ie11 stopped working on both computers. I reset the IE advanced and security setting on both machines but that did not solve the problem. I also attempted to chat with Microsoft and after waiting over 40 minutes with no response I gave up.  I uninstalled the update on both machines and IE now works.  Anyone else have this problem?

      RJS

      • #217619 Reply

        PKCano
        AskWoody MVP

        See abbodi86 ‘s post below – IE11 Cumulative Update released 9/14

        1 user thanked author for this post.
    • #217592 Reply

      anonymous

      Question: I ~think~ I recall someone mentioning in a post for a Win7 Pro SP1 X64 Intel PC, getting the error 0X8000FFFF for the 9-2018 Secur-Only patch KB4457145. Still, I have the impression that this error ~generally~ hits the Rollup patch, ~not~ the Secur.-only. Correct?

    • #217605 Reply

      abbodi86
      AskWoody MVP

      Cumulative update for Internet Explorer for Windows 7 and Windows 8.1: September 14, 2018 (KB4463376)

      catalog-only
      likely will be included in the next Preview Rollup (unless they plan not to release one for this month)

      4 users thanked author for this post.
      • #217624 Reply

        woody
        Da Boss

        Just posted https://www.askwoody.com/2018/heads-up-new-cumulative-update-kb-4463376-for-internet-explorer-on-win7-8-1/

    • #217633 Reply

      Flypaper
      AskWoody Lounger

      FWIW our company’s security guy was saying that the image exploit could be exploited even through Internet Explorer.  Eg, An ad with an exploited image appears.  Your computer downloads the image in order to display the ad banner.  You’re now compromised.

      There’s been talk on a couple security forums (I don’t have access so I haven’t read) regarding this.  Could be an overreaction, but I don’t think so as the exploit is in how Windows handles pictures, not any specific application.

      1 user thanked author for this post.
    • #217945 Reply

      columbia2011
      AskWoody Lounger

      After installing .NET security patches to address CVE-2018-8421, SharePoint 2010 workflows stop working (KB 4457916).
      Here you can find a temporary solution: https://blogs.msdn.microsoft.com/rodneyviana/2018/09/13/after-installing-net-security-patches-to-address-cve-2018-8421-sharepoint-workflows-stop-working/

      1 user thanked author for this post.
    • #217965 Reply

      anonymous

      Woody, don’t forget those of us still waiting on the fence with 1607 when you finally give the go ahead advice for September patches. Thanks in advance!

      • #217972 Reply

        woody
        Da Boss

        If you’re running 1607 (not LTSC), you need to move to 1709 or 1803 (or 1809) next month. There are too many exploits for 1607 running around — staying still isn’t safe.

        Wait for the general advice about moving from 1703, which I’ll have early next month, then do it.

        • #217976 Reply

          krutzy
          AskWoody Lounger

          I  am still am getting the error code  Code 80073701.  Update KB4463376 updated fine.  Update KB3177467  also updated fine previously.  So is what you are waiting for possibly still going to fix this?  Thank you for keeping us updated.

    • #217973 Reply

      Noel Carboni
      AskWoody MVP

      Am installing Windows 7 September Updates on my Win 7 test virtual machine.

      Offered to a system previously up to date “Group A” style: 3 Important updates only:

      September2018Updates

      Beyond the normal Windows Update servers (ds.download.windowsupdate.com, fe2.update.microsoft.com, and download.windowsupdate.com), as usual lately both a setup.exe that was dropped in my TEMP folder and the Windows Installer tried to access http://www.microsoft.com online (but in both cases were denied by my firewall). Blocking this hasn’t caused any update failures in the recent past and as expected the updates seemed to go in okay again today. Sorry, Microsoft, but I’m no fan of software that unexpectedly chooses to reach out to the Internet. I remember all too well when malware was what dropped executables into your TEMP folder and ran them.

      Initial fitness for purpose testing hasn’t shown any new problems on this test VM so far, but of course I don’t do with it anywhere near all of what Windows can do (in other words, your mileage may vary; wait for Woody’s go-ahead).

      In my case I am using Windows 7 to run a small server, so I am concerned about getting my testing done and getting the updates on my hardware to mitigate the potential new packet fragmentation vulnerability. I’ll report back here, of course, if I find any problems.

      -Noel

      Attachments:
      You must be logged in to view attached files.
      1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Yes, we’re still at MS-DEFCON 2 – No need to install any September updates

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: