Thanksgiving comes early this year, but the Microsoft windows 10 October 2018 Update is coming late. Should we be thankful? Let’s revisit the short history of this release, talk about a serious Bluetooth vulnerability, and look at what may be coming this November Patch Tuesday.

I still expect great things from the Microsoft Windows 10 October 2018 Update. I mentioned in the forecast last month the features I’m particularly happy to see are faster updates with less downtime and smaller downloads for quality updates.

For those of us in the security business, these features alone will save us time, bandwidth, and storage as we update our systems, but it has been a rocky start for this release. Microsoft skipped the normal Release Preview process in early October and released the update during a press conference.

After a few short days, Microsoft paused the release with several major flaws being reported. The update deleted all your files in the C:/Users/[username]/Documents/ folder. To add further concern, rolling back to the previous version did not restore the files.

Other issues were reported including a compatibility problem with audio device drivers and the displayed Task Manager information. Not a good start for a major new release.

Microsoft quickly addressed these issues and provided updates to the Windows Insider program in the Slow and Release Preview rings. Several additional issues, such as a problem with zip files not extracting properly , were discovered and also addressed. With Microsoft following the Release Preview process this time, I anticipate a Windows 10 October 2018 Update announcement any day now.

Bluetooth vulnerabilities

Two serious Bluetooth vulnerabilities in Wi-Fi access points sold by Cisco, Meraki and Aruba were discussed the first of this month. The vulnerabilities exist in the Texas Instruments chips used in these devices and associated CVEs are CVE-2018-16986 and CVE-2018-7080. The latter vulnerability is present only in the Aruba devices. The first vulnerability is exploited in two steps.

In the first step, a specially crafted advertising packet containing executable code is sent to the access point where it is stored as part of the normal access point process. In the second step, another specially crafted advertising packet will trigger the code loaded by the first packet, causing a memory overflow and the code to execute. This code can then attempt to control the access point with no authentication. The CVE-2018-7080 vulnerability is related to an over-the-air firmware upgrade on the Aruba devices which have a common password.

This sounds bad from a security standpoint, but there are two factors in your favor. The code to conduct this exploit is very processor-dependent and therefore must be tailored to each device type. Second, since it is Bluetooth, the attacker must be in close proximity to your access points. This will be an issue in retail and commercial establishments with open public access, but not such a problem within a controlled corporate environment. Regardless, updates are available, so you should patch these devices as soon as possible.

Oracle, Chrome, Firefox

I want to remind you about some important updates from October. Oracle released their Critical Patch Update the week after October Patch Tuesday. This included Java 8 and Java 11 updates with a total of 12 vulnerabilities remediated between the two. There was also a non-security release for Java 8. The two are Java8u191 (security) and Java8u192. Google Chrome version 70 was released with fixes for 23 vulnerabilities. Finally, Firefox and Firefox ESR had updates last month addressing 15 unique CVEs.

November forecast

Let’s look ahead to our forecast for Patch Tuesday week:

Microsoft should announce the ‘new’ release of the Windows 10 October 2018 Update. The last few months have seen updates for SQL server, Exchange server, .NET and others so we may get a break from these special applications and operating systems. A zero-day exploit was reported in the data sharing service of Windows 10 and related server versions that results in privilege escalation. Expect to see this addressed, as well as the usual updates for the legacy Windows operating systems. Major updates have been made for Java, Chrome, and Firefox, so we expect only the usual Flash update next week.

本文系统(windows)相关术语:三级网络技术 计算机三级网络技术 网络技术基础 计算机网络技术

分页:12
转载请注明
本文标题:Round two: Microsoft prepares to release Windows 10 October 2018 Update… again!
本站链接:https://www.codesec.net/view/611781.html


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(windows) | 评论(0) | 阅读(10)