May 2018 Patch Tuesday forecast: Where are the flowers?

SmartNA PortPlus - High Performance Visibility Solutions that scale with your network.

May 2018 Patch Tuesday forecastThe wintry weather doesn’t want to give up its hold on us here in the US. The extended cold has kept the spring flowers from blooming, dragging out the winter blues.

It doesn’t look any better in the IT world this month either. A new zero-day attack and Microsoft re-enabling the last of the three Meltdown and Spectre mitigations continues to keep things gloomy. On the horizon is yet another round of Spectre vulnerabilities that have been discovered.

Double Kill

Security researchers reported a new zero-day vulnerability to Microsoft on April 19. This vulnerability, called Double Kill, exists in Internet Explorer. When a user opens a malicious Word document containing the exploit, Internet Explorer is started silently in the background and downloads a secondary payload. This payload could be ransomware or other software to take over the system.

There are reports of an APT using this attack, so remind your users once again not to open documents from an unknown source. No word from Microsoft if a patch will be available shortly, so we need to keep an eye on this one.

Microsoft

Microsoft released KB4078407 on April 24 to update and re-enable the Spectre Variant 2 associated with CVE 2017-5715, Branch Target Injection. This update is for all currently supported Windows 10 and Windows Server 2016 versions. A full description, updated April 24 when the patch was released, is found in advisory ADV180002. This update provides microcode updates for the Intel family of processors. A complete list is found in KB4091666. In addition to providing mitigation for Spectre Variant 2, this update fixes the Intel reboot issues found in the March KB4090007 update.

Intel

In addition to the Spectre Variant 2 update, there are now reports of another 8 vulnerabilities on Intel processors. The original report came from the German site Heise, and outlines the details currently available. There are eight new vulnerabilities reported, four of which are considered critical. One in particular is more concerning than the well-known Spectre variants already disclosed.

In the case of this vulnerability an attacker could cross boundaries of a virtual machine, capture credentials, etc. So, a new round of Spectre fixes will be in our future, maybe not this month though.

Windows 10

Microsoft has also released the latest feature version of Windows 10. Breaking their barely established tradition of naming, this version is called the ‘Windows 10 April 2018 Update.’ Computerworld provided an article on the pitfalls of continuing their previous naming theme, which you might find interesting. Regardless, we now have another version of Windows 10 to manage.

Oracle

On April 17 Oracle released updates for their products as part of their Quarterly Critical Patch Update (CPU). As expected there were new updates for Java, so don’t overlook those. You should be aware that free support of Java 8 ends in January 2019. Per the Java 8 downloads release notice “Public updates for Oracle Java SE 8 released after January 2019 will not be available for business, commercial or production use without a commercial license.”

Let’s hope as we get further into May that the weather warms up, spring arrives, and we have a ‘cheerful’ Patch Tuesday!

Forecast for May 2018

  • This should be a busy Patch Tuesday week for Mozilla. A new major version of Firefox is scheduled for release between May 7 and 9. The Firefox ESR branch will be split into two branches for two release cycles – 52.8 and 60, until Firefox 62 comes out. Once that happens, ESR 52.x will be EOL and ESR 60.x will be the only supported legacy branch. Mozilla Thunderbird usually follows the same schedule as Firefox ESR, so we’ll probably see a new major version next week.
  • The next major release of Google Chrome is scheduled for the end of May, but we could see a minor release next week.
  • Opera usually follows Chrome around, so there may be a minor release there as well.
  • Adobe provided the last release of Reader/Acrobat in February, so we are due for an update this month or next. They usually preannounce on the Thursday or Friday before, so we should know soon. And Adobe Flash, well we always expect an update!

With it being a Mozilla week and possibly an Acrobat/Reader week, May Patch Tuesday week has the potential to be a fairly heavy third party one.