Microsoft released 50 updates during its monthly Patch Tuesday release. Eleven are rated critical remote code execution vulnerabilities and 39 are listed as important. The most critical patches impact Microsoft OS and Internet Explorer and deploying the fixes for these vulnerabilities is recommended immediately. Also of note: one of the vulnerabilities, a remote code execution flaw (CVE-2018-8267) in the scripting engine, is listed as being publicly known, but not under active attack, at this time. Here are highlights from this month’s release with the information you need to prioritize your patching efforts. Most Critical Patches Analysis from researchers on this month’s release advises Windows admins to prioritize CVE-2018-8225, a remote code execution vulnerability that occurs when the Windows Domain Name System (DNS) component DNSAPI.dll fails to handle DNS responses properly. This article is part of our premium content. Join Now.Already a paid subscriber? Click here to login.
Two zero-day exploits need attention now, say analysts. Microsoft patched 68 vulnerabilities in its monthly Patch Tuesday release, including two zero-day exploits. Of the patches 21 are listed as critical, 45 rated important and two listed low in severity. Updates this month affect several products including Microsoft Windows, Internet Explorer, Edge, Office and Exchange Server. Obviously, the priority for deploying is for those are those under active attack. That includes are CVE-2018-8174, a Windows VBScript Engine Remote Code Execution Vulnerability. The flaw was discovered and reported by Kaspersky Lab researchers and impacts IE and other projects that embed the IE web rendering engine. “This technique, until fixed, allowed criminals to force Internet Explorer to load, no matter which browser one normally used — further increasing an already huge attack surface,” according to Anton Ivanov, security researcher at Kaspersky, in an email to Ars Technica. “We urge organizations and private users to install recent patches immediately, as it won’t be long before exploits to this vulnerability make it to popular exploit kits and will be used not only by sophisticated threat actors but also by standard cybercriminals.” The other bug to prioritize is CVE-2018-8120, a vulnerability in older Windows OS versions … Read More
Close to 70 vulnerabilities addressed in this month’s Patch Tuesday update from Microsoft Microsoft patched 67 different vulnerabilities in its monthly Patch Tuesday release. Of the common vulnerabilities and exposures (CVEs), 24 are considered Critical, 42 are rated Important, and one is characterized as Moderate in severity. There are no zero-day patches this month. Affected products include: Microsoft Windows, Internet Explorer, Microsoft Edge, ChakraCore, Microsoft Office and Microsoft Office Services and Web Apps, Adobe Flash Player, Microsoft Malware Protection Engine, Microsoft Visual Studio, and the Microsoft Azure IoT SDK. Adobe also patched 6 vulnerabilities in Adobe Flash. The details on the releases can be found on the Microsoft site. While there were no zero-day releases, Microsoft had already released urgent fixes in weeks leading up to Tuesday, including one that addresses an exploit that was created in an attempt to correct earlier patch issues related the Meltdown chip vulnerability. Across industry blogs on this month’s patches, researchers noted several of the updates deserved attention. Also notable is Microsoft’s disclosure of a publicly known SharePoint elevation of privilege bug (CVE-2018-1034). “There is one public disclosure this month in SharePoint Server. The challenging aspect of this month is that there are enough … Read More