If you find patching security flaws strangely satisfying, you’re in luck – Microsoft’s and Adobe’s December Patch Tuesdays have arrived with plenty for the dedicated updater to get stuck into.
Don’t be fooled by the lighter-than-usual Windows patching load, featuring 39 CVE-level vulnerabilities, including nine rated critical.
Buried within these is a dangerous zero-day local privilege escalation flaw across all Windows versions, CVE-2018-8611, reportedly exploited by an APT group since at least October.
A second in the public domain but not yet known to be exploited is CVE-2018-8517, a .NET denial of service flaw. Both are rated ‘important’, probably because exploiting them depends on other compromises being deployed first.
As for the criticals, watch out for two remote code execution browser vulnerabilities in IE and Edge (CVE-2018-8631) and CVE-2018-8624 respectively), which Microsoft rates as exploit candidates – the same goes for CVE-2018-8628 in PowerPoint.
Windows reboot
An extra complication with the Windows 10 updates this time relates to which version of the OS users are running.
Had all gone to plan with the Windows 10 October 2018 update, many home users could be sure they were using version 1809 – in which case they’d be looking for update KB4471332, bringing the build number to 17763.194.
However, because of unprecedented technical problems, Microsoft delayed its release and inched towards re-release with no fewer than four preview (i.e. test) builds.
And yet, the troubled version 1809 is already in use by two sets of users – those who downloaded it in October but who didn’t (or were unable) to roll back, and anyone signed up to receive preview builds.
It now appears that some users from the wider world are once again being offered 1809 as a regular update in the week they’re getting their Patch Tuesday updates.
If you’re one of the majority still running April’s version 1803, the update you’ll receive is KB4471324, taking the build number to 17134.471.
Life shouldn’t be this complicated, even for Windows users.
Microsoft needed this like a hole in the head in a year that has seen an unusual level of expert disquiet regarding the state of its Windows 10 updates.
Adobe repeats
Arguably, the biggest excitement this month is over at Adobe, which sees the arrival of a fixathon of 87 CVEs for Reader and Acrobat.
The user base has spent rather more time on Adobe fixes since November’s update than seems fashionable, including last week’s out-of-band Flash fix CVE-2018-15982 zero-day flaw on top of a publicly-known Flash critical from late November (CVE-2018-15981).
If you didn’t get these fixes, you’ll find them in this week’s update (corresponding to Adobe’s APSB18-42), which along with the other fixes takes Acrobat and Reader DC to version 2019.010.20064, Acrobat/Reader DC 2017 to 2017.011.30110, and Acrobat/Reader DC Classic to 2015.006.30461.
The ones to watch in this update bonanza are the criticals – 39 in total.
This is a lot of patching after a period when Flash appeared to be sinking under the volume of flaws being found by researchers. It might officially be on its last legs, but it’s looking more and more as if it will go down in a blaze of un-glory.
If this doesn’t motivate users to remove it, perhaps nothing will.