Post-Patch Tuesday Roundup: November 2018

Posted on Friday, November 16, 2018
Get in touch
By Tim Lovegrove
Security Analyst


More News

Welcome to the November 2018 Patch Roundup, where we look at the latest updates from a few key vendors and dissect some of the important releases. There are fewer notable updates this month, check back to October and September's editions for other updates, but still many worth mentioning...

Microsoft

Microsoft were forced to drop an out-of-cycle round of BitLocker updates on the 6th November to patch a highly-publicised bug in embedded encryption on SSDs from Samsung and Crucial. This patch covered all versions currently supported by the Windows ecosystem, and anyone relying on BitLocker with self-encrypting SSDs should take a look.

The bug allows an attacker in possession of the SSD to bypass the encryption with ease, and in certain circumstances, no password was required to access data. The triviality of the attack is tempered somewhat by the need for physical access, but since BitLocker is widespread and intended to protect lost or stolen devices, it’s a significant concern.

A big day ahead as far as Patch Tuesday goes, with the re-issue of the botched 1809 update for Windows 10 and Server 2019. This semi-annual update was pulled last month after reports of data loss from users installing it early, and Microsoft have been working feverishly to rectify the issue. In addition, the regular monthly updates fix a total of total 62 vulnerabilities, with 12 rated Critical. One of these, CVE-2018-8589, is reported to have active exploits in the wild, and there are several Browser and Scripting Engine bugs that should be prioritised for workstations.

Adobe & Oracle

No big surprises from Adobe, with the standard Flash and Reader updates released on Patch Tuesday, in line with Microsoft. Fixing a myriad of critical bugs, a swift roll-out is always recommended for these updates. The Reader update addresses another bug with publically-available proof of concept code, so real-world attacks will no doubt follow.

Oracle slipped out Java Version 8 Update 191 shortly after October’s blog went live, and there’s some interesting things under the hood. Following the lead of Chrome and Mozilla, a batch of Symantec-issued certs have been distrusted and their root certificates removed from the product. Continuing the theme of tidying up obsolete services, support for all DES TLS cipher suites has also been dropped. This should be no surprise given the age of DES, but the option to re-enable the cipher suites is there in the release notes, to keep some level of backward compatibility.

VMware

As was widely predicted, Update 1 for ESXi 6.7 landed in the middle of October, however this has swiftly been followed with four more critical-rated patches covering ESXi itself, and vSAN components. The first, a bug in uninitialised stack memory for vmxnet3 network adapters, allows guest-to-host escape, while the vSAN issues affect vSphere Replication using Site Recovery Manager (which can cause PSOD), deduplication-enabled disk groups and performance issues caused by SATA disks & controllers responding incorrectly to SMART commands.

Get in Touch

If you'd like to find out more about any of these patch updates please don't hesitate to get in touch with your account manager or contact us using the button below.

Get in touch
Comments

We would love to hear any comments you have about this article!