Two zero-day exploits need attention now, say analysts.
Microsoft patched 68 vulnerabilities in its monthly Patch Tuesday release, including two zero-day exploits. Of the patches 21 are listed as critical, 45 rated important and two listed low in severity. Updates this month affect several products including Microsoft Windows, Internet Explorer, Edge, Office and Exchange Server.
Obviously, the priority for deploying is for those are those under active attack. That includes are CVE-2018-8174, a Windows VBScript Engine Remote Code Execution Vulnerability. The flaw was discovered and reported by Kaspersky Lab researchers and impacts IE and other projects that embed the IE web rendering engine.
“This technique, until fixed, allowed criminals to force Internet Explorer to load, no matter which browser one normally used — further increasing an already huge attack surface,” according to Anton Ivanov, security researcher at Kaspersky, in an email to Ars Technica. “We urge organizations and private users to install recent patches immediately, as it won’t be long before exploits to this vulnerability make it to popular exploit kits and will be used not only by sophisticated threat actors but also by standard cybercriminals.”
The other bug to prioritize is CVE-2018-8120, a vulnerability in older Windows OS versions (Windows 7, Server 2008, Server 2008 R2) that has been detected in exploits in the wild, according to Chris Goettl in his monthly post for Ivanti.