{"id":13112,"date":"2018-08-15T08:30:07","date_gmt":"2018-08-15T16:30:07","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2018\/08\/15\/news-6879\/"},"modified":"2018-08-15T08:30:07","modified_gmt":"2018-08-15T16:30:07","slug":"news-6879","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/08\/15\/news-6879\/","title":{"rendered":"Patch Tuesday fallout: Bad docs, but so far no major problems"},"content":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Wed, 15 Aug 2018 08:46:00 -0700<\/strong><\/p>\n

Microsoft may have fixed July\u2019s horrible, no good,\u00a0<\/span>very bad patches<\/span><\/a>. Although the initial documentation for this month\u2019s patches included warnings about many of the bugs that persisted from July, it ends up that the docs were wrong, and most of the known problems seem to be fixed. <\/span><\/p>\n

As of early Reboot Wednesday morning, the patches seem to be behaving themselves. Of course, it frequently takes days or even weeks for bugs to appear, so you\u2019d be well advised to avoid jumping into the unpaid battle zone for now.<\/span><\/p>\n

On August 2018 Patch Tuesday, the 14th, Microsoft released 60 security patches, 19 of which are categorized as \u201cCritical\u201d and 39 \u201cImportant.\u201d Thirteen of the \u201cCritical\u201d exploits are with Internet Explorer and\/or Edge (<\/span>6 \u201cCritical\u201d for IE, 10 for Edge<\/span><\/a>). <\/span><\/p>\n

SANS Internet Storm Center says\u00a0<\/span>two of the holes have active exploits<\/a>. One of the zero-days is \u201cImportant\u201d (which means it isn\u2019t). The other, CVE-2018-8373, affects only Internet Explorer. Says Dr Johannes Ulrich at SANS:<\/span><\/p>\n

This is yet another scripting engine memory corruption issue. There have been plenty like it, so exploit writers likely have already a game plan how to write yet another exploit for this problem.<\/span><\/p>\n

Moral of the story: Don\u2019t use Internet Explorer.<\/span><\/p>\n

Every version of Windows got patched. Every version of .NET. Every version of IE. Every version of Office. You get the picture. <\/span><\/p>\n

There were three new Security Advisories, including <\/span>ADV180018<\/span><\/a>, which covers the L1TF \u201cForeshadow\u201d vulnerability in Intel processors. Foreshadow, <\/span>as you likely know<\/span><\/a>, follows in the footsteps of Meltdown and Spectre as yet another well-publicized data-leaking insecurity, complete with its own website and downloadable logo. Like Meltdown and Spectre before it, Foreshadow hasn\u2019t been exploited in any meaningful sense of the term.<\/span><\/p>\n

When Microsoft first released the August Patch Tuesday patches, the Windows and .NET patches, in particular, had warnings about bugs that were introduced in July. The Knowledge Base articles for Win10 1703, 1709, and 1803 all warned about the \u201cCOM component fails to load\u201d bug. We discovered that the warning was erroneous, and the KB articles have been changed to remove the warnings.<\/span><\/p>\n

Similarly, there was a great deal of confusion about the <\/span>Security Updates Portal<\/span><\/a> continuing to list those bugs. It, too, was changed on Tuesday night to reflect the new reality. The changes were made without notification.<\/span><\/p>\n

As of this moment, we have four acknowledged bugs in the current patches that fall into two categories:<\/span><\/p>\n

As Susan Bradley <\/span>explains<\/span><\/a> about the latter, it\u2019s pretty obscure:<\/span><\/p>\n

In ALL of my Windows 7 testing I have had zero issues and my understanding this network interface problem is limited to VMware (virtual machine) installs. \u00a0Thus I don\u2019t anticipate that we will see this on normal machines.<\/span><\/p>\n

There\u2019s also an <\/span>open question<\/span><\/a> as to whether the SQL Server vulnerability CVE-2018-8273 applies to SQL Server 2014. <\/span>Microsoft Security Response<\/span><\/a> has yet to, uh, respond.<\/span><\/p>\n

Color me cautiously optimistic \u2014 a hue I haven\u2019t worn in many a moon. As long as you don\u2019t use IE or Edge, avoid Flash, and keep your brain connected to your clicking finger, you should be OK while we wait to see if there are any nasty surprises.<\/span><\/p>\n

Join RMS Titanic\u2019s orchestra in the <\/span><\/i>AskWoody Lounge<\/span><\/i><\/a>. I’ll be playing the bass clarinet.<\/span><\/i><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Wed, 15 Aug 2018 08:46:00 -0700<\/strong><\/p>\n

\n
\n

Microsoft may have fixed July\u2019s horrible, no good,\u00a0<\/span>very bad patches<\/span><\/a>. Although the initial documentation for this month\u2019s patches included warnings about many of the bugs that persisted from July, it ends up that the docs were wrong, and most of the known problems seem to be fixed. <\/span><\/p>\n

As of early Reboot Wednesday morning, the patches seem to be behaving themselves. Of course, it frequently takes days or even weeks for bugs to appear, so you\u2019d be well advised to avoid jumping into the unpaid battle zone for now.<\/span><\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[714,10525],"class_list":["post-13112","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-security","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13112","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=13112"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13112\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=13112"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=13112"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=13112"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}