Newsletter Archives

  • Single-purpose patch for CVE-2018-8174, the VBScript 0day, available from 0patch

    This isn’t an endorsement.

    If you read my summary of this month’s patches, you’ll recall that there’s one potentially important patch:

    Microsoft released an explanation for the one “critical” Windows patch this month that is being actively exploited — a zero-day. Called CVE-2018-8174, the security hole involves the way Internet Explorer (mis)handles VBScript programs.

    That’s the one big security hole staring at us so far this month. I still haven’t heard of any exploits other than the ones identified by Kaspersky and Qihoo 360 (remember – they involved PDF files in Yiddish/Hebrew sent to Chinese organizations), but it’s still a potential problem.

    And then Microsoft screwed up the Windows 7 patches this month, breaking networks on some Win7 systems.

    Given the current state of affairs, you can either fix the VBScript 0day and possibly break your network card in the process, or you can avoid the update entirely until Microsoft finally fixes it. Whenever that may be.

    I was surprised to discover that 0patch, a well regarded patching platform from ACROS Security, now has a free patch available that plugs the 0day hole by simply, well, plugging the 0day hole. What a novel idea. Microsoft should do that… he says, tongue planted firmly in cheek.

    I’m NOT recommending that you run out and install the 0patch patch. It always gives me the willies when I see a non-Microsoft product offered to fix a Microsoft bug. But in this case, if you read the description, the analyst there who wrote the patch (Mitja Kolsek) knows what he’s doing.

    So rather than recommend that patch, I’m putting out a feeler to see if any of you have installed this patch — or if you have experience with other 0patch patches.

    Whaddya think?

  • Patch Tuesday problems and fixes, but there’s no cause for alarm


    Consolidated news about this month’s patches for Win10 version 1803, the CVE-2018-8174 VBScript zero-day (which isn’t bad yet), the Win10 version 1709 Meltdown bug fix of a fix, the “authentication error” CredSSP bug that isn’t a bug, and the final resolution of that Server 2008 R2 SMB memory leak fix.

    Sliding down the razor blade of patches. Computerworld Woody on Windows.