Administrators have a servicing stack update to address amid the usual monthly Windows updates for November Patch...
Tuesday. But, first, they must prioritize another Windows zero-day vulnerability.
The servicing stack update (ADV990001) is for all supported Windows client and server OSes. For several OSes, there is a known issue that halts the update before it completes. Administrators must hit Ctrl-Alt-Delete, and then the update will complete. In another instance, an install will fail, try again and succeed on the second try.
"The servicing stack update is going to be a lot of headaches with systems halting and pressing Ctrl-Alt-Delete to proceed," said Chris Goettl, director of product management at Ivanti, based in South Jordan, Utah.
Experts spotlight Windows zero-day vulnerability and public disclosure
Microsoft closed 62 vulnerabilities, with 12 rated critical, in the November Patch Tuesday releases. Admins should focus on patching systems affected by a zero-day exploit and public disclosure as quickly as possible, Goettl said.
To exploit the Windows zero-day vulnerability (CVE-2018-8589), rated important, attackers can run arbitrary code in Windows 7, Windows Server 2008 and Windows Server 2008 R2. The attacker must gain access into the system first, but could then take advantage of Windows improperly handling calls to Win32k.sys to obtain full access.
The security feature bypass vulnerability (CVE-2018-8566), which Microsoft disclosed last week with advisory ADV180028, could allow an attacker to access encrypted data when Windows improperly suspends BitLocker device encryption. This vulnerability affects Windows 10, Windows Server 2016 and 2019, and it requires an attacker to gain physical access to the system when it is powered off.
"All the criticals this month were either in the operating system or the Edge browser, so our recommendation is to focus on the OS and Edge first," Goettl said.
No patches for new side-channel exploit, another Windows zero-day
Administrators will have to do extra work to manage other unresolved vulnerabilities in their environment.
Earlier this month, researchers revealed another side-channel attack that uses simultaneous multithreading architecture to steal data. Dubbed PortSmash, this attack method uses a unique spin on the side-channel vulnerabilities exposed earlier this year with the Meltdown and Spectre flaws.
With PortSmash, a malicious process executes code on the processor and checks the timing to determine what is running on a separate thread of the same processor. The malicious code needs to run on the same core as the targeted process. Academic researchers used proof-of-concept code to demonstrate how to get an encryption key out of memory on an OpenSSL-powered Transport Layer Security server.
Administrators can mitigate this vulnerability by disabling simultaneous multithreading.
"Right now, there's no patch for PortSmash other than disabling hyper-threading. Obviously, that decreases performance," said Jimmy Graham, director of product management at Qualys, based in Redwood City, Calif.
Another zero-day vulnerability that affects Windows 10 and Windows Server 2016 and 2019 was discovered by the same security researcher who identified a similar zero-day vulnerability in August 2018.
As described by Twitter user SandboxEscaper, an attacker can use this flaw to elevate privileges and delete files without permission through the data-sharing service, which handles data brokering between applications.
Microsoft rereleases Windows Server 2019, discontinues hotfix service
Microsoft made Windows Server 2019 and Windows 10 version 1809 generally available on Oct. 2, 2018, but the company pulled both within two weeks because of isolated reports that the Windows 10 upgrade deleted files. Despite Windows Server 2019 having no issue, Microsoft pulled it for testing, because it shares kernel code with Windows 10. Microsoft said it fixed the issue and rereleased both Windows 10 version 1809 and Windows Server 2019.
In addition, Microsoft discontinued its hotfix and Easy Fix services, which had offered administrators a way to patch smaller Windows issues, such as correcting a faulty Intel audio driver. Microsoft did not issue a formal announcement, but administrators who try to find hotfixes on Microsoft's website get sent to the Microsoft Update Catalog.
Jimmy Grahamdirector of product management, Qualys
Admins can still search for previous hotfix downloads in the Microsoft Update Catalog or Download Center. Issues addressed by the Easy Fix service are resolved by troubleshooting currently built into Windows.
"Removing this service falls in line with pushing users to upgrade their OS," Graham said.
These changes affect a small number of devices in the Windows base, but represent a real pain for IT organizations, Goettl said.
"Microsoft is going to feel pressure to have to respond to hotfixes down the road. This is not something they can walk away from lightly," he said.