Webinar Library
Welcome to this October Patch Tuesday Bulletin. This month Microsoft has been fairly easy going with us. We have 4 platforms with critical updates and although some are publicly released, none are being exploited. In the chart below we list various versions of Office. Please note that this includes Outlook, PowerPoint, Excel and Word. This month Microsoft also listed Office 365 Pro Plus. If you are running MS Office 2016 Click-to-Run (C2R) pay attention because Office 365 ProPlus is the same product formerly referred to as Microsoft Office 2016 Click-to-Run (C2R). The name has been updated in this chart to reflect Microsoft’s re-branding. In our chart below you might be surprised to see a 2010 CVE listed under Exchange Server. This wasn't by mistake. Exchange Server was not identified as an in-scope product when CVE-2010-3190 was originally published and this vulnerability affects all installations of Exchange Server. So if you are running any version of Exchange server released prior to Exchange Server 2016 Cumulative Update 11 (as of this publishing, Cumulative Update 10 is the most recent cumulative update for Exchange 2016), the Visual Studio 2010 updates in MS11-025 should be applied to your Exchange Server. Even though it's a fairly lite month please test and deploy updates to hosts that are affected by these vulnerabilities as soon as possible.
Over the years we've had millions of visitors to UltimateWindowsSecurity.com. Every month we have thousands and thousands of visitors to our Security Log Encyclopedia which documents all of the Security Log event ID’s for Windows Server OS’s. Back in 2007 when SharePoint added auditing capability, I realized that my audience not only needed the event information from SharePoint but I also found a similar need in SQL Server and Exchange. So not only did I document the data but I also started to develop the means to extract that event data from these applications so that it’s accessible and useable to the end user. Some 8 years later and LOGbinder is continuing to grow as companies realize LOGbinder bridges the gap between these applications and their infosec team. Visit LOGbinder.com to download a free 30-day fully functional trial and see the security event data that you have literally been missing.
So, without further ado, here’s the chart of MS patches that affect Windows platforms in the past month.
Patch data provided by:
Technology
Products Affected
Severity
Reference
Workaround/ Exploited
Vulnerability Info
Internet Explorer
IE 11
Critical
CVE-2018-8460 CVE-2018-8491
*Workaround: No **Exploited: No
Remote Code Execution
Edge
All
CVE-2018-8460 CVE-2018-8491 CVE-2018-8503 CVE-2018-8505 CVE-2018-8509 CVE-2018-8510 CVE-2018-8511 CVE-2018-8512 CVE-2018-8513 CVE-2018-8530
Security Feature Bypass
Windows
Windows 7, 8.1, 8.1 RT, 10
Server 2008/2008 R2
Sever 2012, 2012 R2
Server 2016
Server 2019
CVE-2018-8506 CVE-2018-8320 CVE-2018-8329 CVE-2018-8330 CVE-2018-8333 CVE-2018-8411 CVE-2018-8413 CVE-2018-8423 CVE-2018-8427 CVE-2018-8432 CVE-2018-8453 CVE-2018-8472 CVE-2018-8481 CVE-2018-8482 CVE-2018-8484 CVE-2018-8486 CVE-2018-8489 CVE-2018-8490 CVE-2018-8492 CVE-2018-8493 CVE-2018-8494 CVE-2018-8495 CVE-2018-8497
*Workaround: No
**Exploited: No
Information Disclosure
Elevation of Privilege
Office, Office Services and Web Apps
Web Apps 2010 SP2
SharePoint Server 2010 SP2, Enterprise 2013 SP1 & 2016
Office 2010SP2, 2013RT1, 2013SP1, 2016, 2019, Viewer 2007
Office 2016 for Mac
Office 365 ProPlus
Important
ADV180026 CVE-2018-8427 CVE-2018-8432 CVE-2018-8480 CVE-2018-8488 CVE-2018-8498 CVE-2018-8501 CVE-2018-8502 CVE-2018-8504 CVE-2018-8518
Defense in Depth
ChakraCore
CVE-2018-8473 CVE-2018-8500 CVE-2018-8503 CVE-2018-8505 CVE-2018-8510 CVE-2018-8511 CVE-2018-8513
SQL Server Management Studio
17.9, 18.0 Preview 4
CVE-2018-8527 CVE-2018-8532 CVE-2018-8533
.NET Core
1.0, 1.1, 2.1
CVE-2018-8292
PowerShell
Core 6.0
Azure
IoT Edge, Hub Device Client for Azure IoT
CVE-2018-8531
Information Disclsure
Exchange Server
2010 SP3, 2013, 2013 CU21, 2016, 2016 CU10
CVE-2010-3190 CVE-2018-8265 CVE-2018-8448
We will not share your address. Unsubscribe anytime. By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us.