This Patch Tuesday has seen Microsoft issue patches for 54 vulnerabilities, 27 of which could allow remote code exploitation. 17 of the flaws have been rated critical and 33 are rated important. Three of the vulnerabilities were disclosed before Microsoft released patches. The patches address bugs in 15 products.
The majority of the critical flaws are scripting errors in Internet Explorer, including four memory corruption vulnerabilities in the Jscript Chakra scripting engine for the 32-bit version of Internet Explorer. These are CVE-2018-8280, CVE-2018-8286, CVE-2018-9290, and CVE-2018-8294. All could be exploited to allow remote code execution.
Eight flaws have been corrected in Microsoft Edge: Four information disclosure vulnerabilities (CVE-2018-8289, CVE-2018-8325, CVE-2018-8324, CVE-2018-8297), three memory corruption vulnerabilities (CVE-2018-8301, CVE-2018-8274, CVE-2018-8262), and one spoofing vulnerability (CVE-2018-8278). The spoofing vulnerability could be used to trick a user into thinking they are on a legitimate website. “[A] specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services,” said Microsoft.
In total, 16 of the critical flaws affect browsers or technologies related to browsers. These should be a priority for all workstations used to access the Internet.
One critical vulnerability affects the PowerShell Editor Services (CVE-2018-8327), which should be prioritized as PowerShell is often used to deliver malicious payloads.
CVE-2018-8304 is a Windows DNSAPI Denial of Service vulnerability that could allow an attacker to remotely shut down a DNS server simply using a malformed DNS response.
CVE-2018-8310 has been rated low risk, although a patch was issued to correct Microsoft Office flaw, which would allow an attacker to embed untrusted TrueType fonts into an email, and by doing so, bypass spam filters and ensure malicious messages are delivered to end users.
CVE-2018-8319 is an MSR JavaScript cryptography library security feature bypass vulnerability. This flaw allows an attacker to generate signatures that mimic the entity associated with a public/private key pair, making an attack seem genuine.
Microsoft has also addressed the Lazy FP State Restore vulnerability, which is similar to the Meltdown/Spectre vulnerabilities, and could allow remote code execution on a vulnerable system.
Microsoft has also incorporated Adobe patches which address Flash vulnerabilities on its supported operating systems. Adobe has issued patches for 104 vulnerabilities in Reader, Acrobat, Connect, Experience Manager, and Flash, 96 of which are rated critical or important.