Patch Tuesday, September 2018 Edition

Adobe and Microsoft today each released patches to fix serious security holes in their software. Adobe pushed out a new version of its beleaguered Flash Player browser plugin. Redmond issued updates to address at least 61 distinct vulnerabilities in Microsoft Windows and related programs, including several flaws that were publicly detailed prior to today and one “zero-day” bug in Windows that is already being actively exploited by attackers.

As per usual, the bulk of the fixes from Microsoft tackle security weaknesses in the company’s Web browsers, Internet Explorer and Edge. Patches also are available for Windows, Office, Sharepoint, and the .NET Framework, among other components.

Of the 61 bugs fixed in this patch batch, 17 earned Microsoft’s “critical” rating, meaning malware or miscreants could use them to break into Windows computers with little or no help from users.

The zero-day flaw, CVE-2018-8440, affects Microsoft operating systems from Windows 7 through Windows 10 and allows a program launched by a restricted Windows user to gain more powerful administrative access on the system. It was first publicized August 27 in a (now deleted) Twitter post that linked users to proof-of-concept code hosted on Github. Since then, security experts have spotted versions of the code being used in active attacks.

According to security firm Ivanti, prior to today bad guys got advance notice about three vulnerabilities in Windows targeted by these patches. The first, CVE-2018-8457, is a critical memory corruption issue that could be exploited through a malicious Web site or Office file. CVE-2018-8475 is a critical bug in most supported versions of Windows that can be used for nasty purposes by getting a user to view a specially crafted image file. The third previously disclosed flaw, CVE-2018-8409, is a somewhat less severe “denial-of-service” vulnerability.

Standard advice about Windows patches: Not infrequently, Redmond ships updates that end up causing stability issues for some users, and it doesn’t hurt to wait a day or two before seeing if any major problems are reported with new updates before installing them. Windows 10 likes to install patches and reboot your computer on its own schedule, and Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.

It’s a good idea to get in the habit of backing up your computer before applying monthly updates from Microsoft. Windows has some built-in tools that can help recover from bad patches, but restoring the system to a backup image taken just before installing updates is often much less hassle and an added peace of mind while you’re sitting there praying for the machine to reboot successfully after patching.

The sole non-Microsoft update pushed by Redmond today fixes a single vulnerability in Adobe Flash Player, CVE-2018-15967. Curiously, Adobe lists the severity of this information disclosure bug as “important,” while Microsoft considers it a more dangerous “critical” flaw.

Regardless, if you have Adobe Flash Player installed, it’s time to either update your browser and/or operating system, or else disable this problematic and insecure plugin. Windows Update should install the Flash Patch for IE/Edge users; the newest version of Google Chrome, which bundles Flash but prompts users to run Flash elements on a Web page by default, also includes the fix (although a complete Chrome shutdown and restart may be necessary before the fix is in).

Loyal readers here know full well where I stand on Flash: This is a dangerous, oft-exploited program that needs to be relegated to the dustbin of Internet history (for its part, Adobe has said it plans to retire Flash Player in 2020). Fortunately, disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items.

By default, Mozilla Firefox on Windows computers with Flash installed runs Flash in a “protected mode,” which prompts the user to decide if they want to enable the plugin before Flash content runs on a Web site.

Administrators have the ability to change Flash Player’s behavior when running Internet Explorer on Windows 7 by prompting the user before playing Flash content. A guide on how to do that is here (PDF). Administrators may also consider implementing Protected View for Office. Protected View opens a file marked as potentially unsafe in Read-only mode.

As always, please feel free to leave a note in the comments below if you experience any issues installing these fixes. Happy patching!

Leave a Reply