Patch Tuesday breaks records — some good, most bad — and ‘Check for Updates’ still stings

A rather light Patch Tuesday this month brought security fixes for every version of Windows and every version of Office. Edge’s ChakraCore takes another one on the chin. Only one known zero-day, and it’s not directed at garden-variety Windows customers. Microsoft’s back to pushing Win10 1809 on computers that check for updates.

Open windows with billowy curtains
Thinkstock

Yesterday, Microsoft’s “B Week” Patch Tuesday, we saw a fairly small set of patches — “small” being a relative designation. There are 194 December updates in the Microsoft Catalog, with 39 separately identified security holes (CVEs), and with every supported version of Windows, Office and .Net getting a dose. We also got a new Security Advisory, which lists two new Servicing Stack Updates.

As usual, Martin Brinkman at ghacks.net has a full breakdown.

The zero-day

Only one of the patches relates to a known in-the-wild exploit, and that one’s pretty obscure. The CVE-2018-8611 security hole is yet another privilege elevation bug. That means if something odd gets into your computer, it can levitate itself up to admin status by taking advantage of this bug. Kaspersky Lab researchers found the security hole in exploits from two “threat actors” (read: groups with lots of money behind them, likely government-based) called FruityArmor and SandCat:

CVE-2018-8611 is a race condition that is present in the Kernel Transaction Manager due to improper processing of transacted file operations in kernel mode. … This vulnerability successfully bypasses modern process mitigation policies. … Combined with a compromised renderer process, for example, this vulnerability can lead to a full Remote Command Execution exploit chain in the latest state-of-the-art web-browsers. We have found multiple builds of exploit for this vulnerability. The latest build includes changes to reflect the latest versions of the Windows OS.

As long as you aren’t overly concerned about FruityArmor and SandCat, there’s no reason to apply the patch right away.

One acknowledged bug

Intrepid folks who have installed the patches have reported few problems. Of course, by my way of thinking, it’s much too early to tell if there are significant bugs in the patches, and I advise you to stay put until the unpaid beta-testers have their way.

There’s one bug that Microsoft has posted: The cumulative update for Win10 version 1803 — that’s the most common version of Windows 10 — KB 4471324carries a small surprise:

After installing this update, some users cannot pin a web link on the Start menu or the taskbar. Microsoft is working on a resolution and will provide an update in an upcoming release.

Not exactly earth-shattering.

ChakraCore poked for the 15th month in a row

Here’s the statistic that raised my eyebrows. According to Allan Liska at Recorded Future, this is the 15th month in a row that Microsoft has patched a security hole in its Edge browser:

Microsoft Edge has multiple critical vulnerabilities in its Chakra Core scripting engine. This is the now the 15th straight month that Microsoft has disclosed a vulnerability in the Chakra scripting engine, the last Patch Tuesday without a Chakra disclosure was September of 2017. This month’s vulnerability (CVE-2018-8583 and CVE-2018-8629) is a memory corruption vulnerability that, if exploited, would allow an attacker to execute arbitrary code on the victim’s machine.

The ChakraCore JavaScript engine just experienced a, uh, major life event. Last week, Microsoft’s Joe Belfiore announced that the Edge browser was going through an extreme makeover, dropping its vaunted EdgeHTML rendering engine. Computerworld’s Gregg Keizer put it this way:

After a years-long pummeling, Microsoft this week surrendered in the browser war, saying that it will junk Edge's home-grown rendering engine and replace it with Blink, the engine that powers Google's Chrome. With Edge pulling code from the Chromium project, the browser will also be able to run on Windows 7 and Windows 8.1, as well as macOS.

ChakraCore wasn’t mentioned in any of the official announcements, but developers were concerned because the ChakraCore JavaScript engine is tied, in the minds of many, with EdgeHTML. The next day, Microsoft engineer liminzhu posted this on GitHub:

We’ve seen your questions for ChakraCore and we want to be transparent and honest with the open-source community that has given us so much support. To be compatible with the rest of the platform and reduce interoperability risks, Microsoft Edge will use the V8 engine as part of this change. There is much to build and learn, but we’re excited to take part in the V8 community and start contributing to the project.

ChakraCore is currently being used in various projects outside the browser. So, despite the change of direction for Microsoft Edge, our team will continue supporting ChakraCore.

Chrome V8 is a JavaScript rival to ChakraCore.

Remember that Edge was supposed to be Microsoft’s most secure browser ever. It looks as if ChakraCore has stumbled significantly. Perhaps the switch to Chromium was also influenced by ChakraCore’s shortcomings?

Seekers get no respect

Looks like Microsoft’s back to its old ways, interpreting “Check for updates” as carte blanche to install anything and everything on your machine, without first presenting you with a list, or asking for permission. “Check for” in the Microsoft lexicon is synonymous with “Install whatever you want.”

I see many reports of seekers — those who have the temerity to click “Check for updates” — end up with a shiny new copy of 1809 on their machines.

Don’t be fooled. If you want to wait to install the next version of Windows, set it to block version 1809. And don’t click Check for Updates unless you’ve gone through a full wushowhide cycle to make sure any unwanted updates/upgrades/offal are blocked.

Servicing Stack updates

Microsoft still hasn’t found a reliable way to get Windows Update to update itself without outside interference. Thus, we have two new Servicing Stack updates detailed in the newly reissued Servicing Stack updates Advisory 9900001:

Win10 1709 Build 16229.846 KB 4477136

Win10 1803 Build 17134.471 KB 4477137

Preview respite for December

Microsoft has taken pity on us, I think — or maybe it's giving its employees a break — and promised that it won’t be surprising us with any non-security “second monthly” cumulative updates for Windows 10 and “Preview of Monthly Rollups” for Win7 and 8.1. All of the latest KB articles include this promise of relief:

Because of minimal operations during the holidays and upcoming Western new year, there won’t be any preview releases for the month of December 2018. Monthly servicing will resume with the January 2019 security releases.

We can only hope.

What to do

Nothing. Sit tight. There are no wolves at your door. Let’s see how these patches go before you install them.

Perhaps we’ll get a Festivus present where Microsoft figures out a way to test all of this stuff before it comes out. Michael Fortin’s post Windows monthly security and quality updates overview sure gives us a lot of insight into a process that, demonstrably, doesn’t work. Maybe we’ll get a better one.

Ah, there I go hoping again.

Join the ongoing watch on the AskWoody Lounge.

6 tips for scaling up team collaboration tools
  
Shop Tech Products at Amazon