What patches to prioritize following the April 2018 Patch Tuesday?

Patch Tuesday came and went and, as usual, Microsoft and Adobe have released patches/security updates for vulnerabilities affecting a wide variety of their products.

April 2018 Patch Tuesday

Adobe’s patches

This April 2018 Patch Tuesday Adobe addressed vulnerabilities in Adobe PhoneGap Push Plugin, Adobe Digital Editions, Adobe InDesign, Adobe Experience Manager, and Adobe Flash Player.

Of these updates, the most important one is that for Adobe Flash Player. Not only is the product the most widely used of those mentioned above, but it also patches three critical vulnerabilities that can lead to remote code execution if exploited.

The other priority updates should be those for Adobe InDesign, the company’s popular desktop publishing software application, and ColdFusion, its rapid web application development platform.

The former plugs two holes, one of which is a critical memory corruption vulnerability caused by unsafe parsing of a specially crafted .inx file and could be exploited for malicious code execution. The latter fixes several information disclosure and privilege escalations flaws, and a critical Java deserialization vulnerability.

“Coldfusion servers should be patched as soon as possible. Patches for Flash or InDesign should also be treated as high priority for Workstation-type devices,” Jimmy Graham, Director of Product Management at Qualys, advised.

Microsoft’s patches

Microsoft addressed at least 65 vulnerabilities in its two browsers, ChakraCore (the core part of the Chakra Javascript engine that powers Microsoft Edge), Windows, Microsoft Office and Microsoft Office Services and Web Apps, Adobe Flash Player, its Malware Protection Engine, Microsoft Visual Studio and Microsoft Azure IoT SDK.

SANS ISC’s Johannes Ullrich provided an easy-to-scan overview of the fixed flaws which shows that the Internet Explorer, Edge and Adobe Flash Player updates are the most critical.

Vulnerabilities of note include five critical ones in the Windows Font Library (labeled as Microsoft Graphics in the bulletins).

“Those of us who lived through Duqu always shudder a bit when we see font-related bugs, and these have me downright shivering,” Trend Micro’s Zero Day Initiative’ Dustin Childs commented.

“Each of these patches covers a vulnerability in embedded fonts that could allow code execution at the logged-on user level. Since there are many ways to view fonts – web browsing, documents, attachments – it’s a broad attack surface and attractive to attackers. Given the history of malicious fonts, these patches should be high on your test and deployment list.”

Graham echoes that advice, and says that these updates should be prioritized for workstation-type devices as well as servers.

Another critica vulnerability with a patch is CVE 2018-1004, a Windows VBScript Engine RCE flaw.

“To exploit this vulnerability, an attacker could host a malicious website and convince someone to browse there – just like most browser bugs. With this bug, an attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine. These vectors make this bug more appealing than a browser bug since the attack surface is broader,” says Childs.

The Malware Protection Engine flaw noted in the releases has been fixed last week and deployed through regular updates, so most users don’t have to do anything to be protected. For those few who have configured their systems not to automatically search for and implement these updates, implementing this patch as soon as possible is advised.