Round two: Microsoft prepares to release Windows 10 October 2018 Update… again!

Thanksgiving comes early this year, but the Microsoft Windows 10 October 2018 Update is coming late. Should we be thankful? Let’s revisit the short history of this release, talk about a serious Bluetooth vulnerability, and look at what may be coming this November Patch Tuesday.

I still expect great things from the Microsoft Windows 10 October 2018 Update. I mentioned in the forecast last month the features I’m particularly happy to see are faster updates with less downtime and smaller downloads for quality updates.

For those of us in the security business, these features alone will save us time, bandwidth, and storage as we update our systems, but it has been a rocky start for this release. Microsoft skipped the normal Release Preview process in early October and released the update during a press conference.

After a few short days, Microsoft paused the release with several major flaws being reported. The update deleted all your files in the C:/Users/[username]/Documents/ folder. To add further concern, rolling back to the previous version did not restore the files.

Other issues were reported including a compatibility problem with audio device drivers and the displayed Task Manager information. Not a good start for a major new release.

Microsoft quickly addressed these issues and provided updates to the Windows Insider program in the Slow and Release Preview rings. Several additional issues, such as a problem with zip files not extracting properly, were discovered and also addressed. With Microsoft following the Release Preview process this time, I anticipate a Windows 10 October 2018 Update announcement any day now.

Bluetooth vulnerabilities

Two serious Bluetooth vulnerabilities in Wi-Fi access points sold by Cisco, Meraki and Aruba were discussed the first of this month. The vulnerabilities exist in the Texas Instruments chips used in these devices and associated CVEs are CVE-2018-16986 and CVE-2018-7080. The latter vulnerability is present only in the Aruba devices. The first vulnerability is exploited in two steps.

In the first step, a specially crafted advertising packet containing executable code is sent to the access point where it is stored as part of the normal access point process. In the second step, another specially crafted advertising packet will trigger the code loaded by the first packet, causing a memory overflow and the code to execute. This code can then attempt to control the access point with no authentication. The CVE-2018-7080 vulnerability is related to an over-the-air firmware upgrade on the Aruba devices which have a common password.

This sounds bad from a security standpoint, but there are two factors in your favor. The code to conduct this exploit is very processor-dependent and therefore must be tailored to each device type. Second, since it is Bluetooth, the attacker must be in close proximity to your access points. This will be an issue in retail and commercial establishments with open public access, but not such a problem within a controlled corporate environment. Regardless, updates are available, so you should patch these devices as soon as possible.

Oracle, Chrome, Firefox

I want to remind you about some important updates from October. Oracle released their Critical Patch Update the week after October Patch Tuesday. This included Java 8 and Java 11 updates with a total of 12 vulnerabilities remediated between the two. There was also a non-security release for Java 8. The two are Java8u191 (security) and Java8u192. Google Chrome version 70 was released with fixes for 23 vulnerabilities. Finally, Firefox and Firefox ESR had updates last month addressing 15 unique CVEs.

November forecast

Let’s look ahead to our forecast for Patch Tuesday week:

• Microsoft should announce the ‘new’ release of the Windows 10 October 2018 Update. The last few months have seen updates for SQL server, Exchange server, .NET and others so we may get a break from these special applications and operating systems.
• A zero-day exploit was reported in the data sharing service of Windows 10 and related server versions that results in privilege escalation. Expect to see this addressed, as well as the usual updates for the legacy Windows operating systems.
• Major updates have been made for Java, Chrome, and Firefox, so we expect only the usual Flash update next week.