Microsoft Fixes Sixty Vulnerabilities
Microsoft has fixed 60 vulnerabilities this monthly update round, including two zero-days and patches for the newly disclosed Intel L1TF bugs.
August Patch Tuesday saw updates to fix two zero-days already publicly disclosed and being exploited in the wild. These should be the top priorities for admins this month, according to Ivanti director of product management, security, Chris Goettl.
“CVE-2018-8373 is a vulnerability that exists in the way that the scripting engine handles objects in memory in Internet Explorer. Exploitation could result in remote code execution and grants the same privileges as the logged-in user including administrative rights. Because this vulnerability exists in IE 9, 10, and 11, it affects all Windows operating systems from Server 2008 to Windows 10,” he explained.
“The second zero-day vulnerability, CVE-2018-8414, is a code execution vulnerability that exists when the Windows Shell does not properly validate file paths. Exploitation can also result in remote code execution with the privileges of the logged-in user. This vulnerability is not as widespread, existing on only Windows 10 1703 and newer, Server 1709 and Server 1803.”
Microsoft also published an advisory covering the newly disclosed Spectre/Meltdown-like L1TF vulnerabilities. The Redmond giant has released several updates to help mitigate them, but warned that users of VBS or versions of Hyper-V prior to Windows Server 2016 may need to disable Hyper-Threading, which could cause performance degradation.
Elsewhere, Qualys director of product management, Jimmy Graham, urged admins to prioritize browser and scripting engine patches for “workstation-type devices,” especially a fix for CVE-2018-8373.
He also pointed to CVE-2018-8345 for workstations and servers, Exchange flaw CVE-2018-8302, and Microsoft SQL RCE vulnerability CVE-2018-8273 as ones to address urgently.
Not to be outdone, Adobe released more updates on Tuesday, including fixes for five Flash Player updates and two new critical flaws in Reader and Acrobat, to follow the 100 announced last month.