October 2018 Patch Tuesday Briefing

October 10, 2018 Jonathan Cran

As a service to our customers, we post a monthly update when Patch Tuesday (second Tuesday of every month) rolls around. Below, you’ll find information about the new updates released from Microsoft and Adobe this cycle, and additional context that may be helpful as you prioritize these newly released vulnerabilities.

This month, Microsoft released fixes for 49 new vulnerabilities in the following products:

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Office (Powerpoint, Excel, Word)
  • Microsoft Azure
  • Microsoft Windows
  • Microsoft Exchange Server
  • Microsoft Device Guard
  • Microsoft JET Database engine
  • Microsoft SQL Server Management Studio
  • ChakraCore
  • Microsoft Windows Hyper-V

 

Additionally, Adobe released bulletins and patches for 101 vulnerabilities this cycle in the following products:

  • Adobe Technical Communications Suite
  • Adobe Framemaker
  • Adobe Experience Manager
  • Adobe Flash Player
  • Adobe Acrobat and Reader (Released on October 1)

 

Adobe Flash and Reader remain the most actively exploited client-side software  according to Kenna’s intelligence (by number of unique events detected in 2018 associated with a CVEs in the software), so ensuring these are regularly patched should remain a high priority.

Consistent with the findings in our Prioritization to Prediction report,  only a small number of vulnerabilities from any given Patch Tuesday’s release are ever exploited in the wild. At time of writing, 8 CVEs from the last 4 months (July, August, September, October) have had events detected in the wild by Kenna’s global threat telemetry:

  • CVE-2018-5028 (released in July cycle)
  • CVE-2018-12794 (released in July cycle)
  • CVE-2018-8353 (released in August cycle)
  • CVE-2018-8401 (released in August cycle)
  • CVE-2018-8414 (released in August cycle)
  • CVE-2018-8353 (released in September cycle)
  • CVE-2018-8440 (released in September cycle)
  • CVE-2018-8453 (released in this cycle)

The detection in the wild of these (and only these) CVEs continue to constitute a <2% rate of exploitation in the wild across all Adobe and Microsoft CVEs released in the last four months.

As always, Kenna intelligence and scoring is dynamic and subject to significant adjustment based on new information. To check the latest scores, sign up here. You can view the raw data and analysis for this blog post here.

The post October 2018 Patch Tuesday Briefing appeared first on Kenna Security.

Previous Article
Logic Errors and Best Practices for Preventing Them
Logic Errors and Best Practices for Preventing Them

By now you’ve undoubtedly heard about the Facebook breach. I’ve published an article in Dark Reading that g...

Next Article
Kenna Earns Major Recognition for Our Risk-Based Approach
Kenna Earns Major Recognition for Our Risk-Based Approach

From the beginning, Kenna Security has focused on giving organizations a new way to approach cybersecurity ...