Microsoft plugs 53 security holes in July 2018 Patch Tuesday

For its July 2018 Patch Tuesday, Microsoft has patched 53 vulnerabilities. 17 of them are critical and 16 of those affect Internet Explorer and Edge.

Microsoft updates

“The 16 CVEs covering browsers should be prioritized for workstation type devices, meaning any system where users are commonly accessing the public internet through a browser or checking email. This includes multi-user servers that are used as remote desktops for users,”

According to Jimmy Graham, Director of Product Management at Qualys, the 16 CVEs covering browsers should be prioritized for workstation type devices, meaning any system where users are commonly accessing the public internet through a browser or checking email.

“This includes multi-user servers that are used as remote desktops for users,” he added.

The remaining critical vulnerability (CVE-2018-8327) affects the PowerShell Editor and PowerShell Extension, and can be leveraged to achieve remote code execution.

Of the 33 vulnerabilities deemed “Important”, Trend Micro’s Zero Day Initiative’ Dustin Childs singled out a security feature bypass flaw in the MSR JavaScript Cryptography Library (CVE-2018-8319), and a bug in the Windows DNSAPI (CVE-2018-8304) that could allow remote attackers to shut down a DNS server through a malformed DNS response, which could end up disrupting an organization’s operations.

He also flagged the only low severity bug fixed in the update: CVE-2018-8310. It is a Microsoft Office vulnerability that could be exploited by attackers to embed untrusted TrueType fonts into an email.

“Bugs in fonts have been popular since 2013 and have been used in malware attacks in the past. This bug could allow them to spread and possibly even bypass traditional filters. That’s likely the reason Microsoft chose to go ahead and release a patch for this Low-rated vulnerability,” he explained.

Microsoft has also released updates for all supported Windows versions that provide mitigations for Lazy FP State Restore, the side-channel information disclosure attack on speculative execution used by Intel Core-based microprocessors. The company accompanied those updates with an advisory providing guidance on how to stay on top of the issue.

Adobe updates

As per usual, Adobe has also marked Patch Tuesday by releasing security updates for its various products.

“Vulnerabilities in Acrobat, Reader, and Flash have been marked as critical. Flash has one critical CVE, while Acrobat and Reader have over 50,” Graham noted.

“Microsoft has provided patches for Flash on supported operating systems. These patches should be prioritized for all workstation type systems.”

Users of Adobe Reader or Acrobat are also advised to update these products as soon as possible.

Most of the CVE-numbered vulnerabilities plugged by Adobe this Tuesday came from Trend Micro’s Zero Day Initiative, and many are related to file format parsing.

“In the past, we saw Microsoft implement mitigations for certain types of vulnerabilities that shut down entire classes of bugs. To address the substantial number of bugs we continue to buy in Adobe products, they may need to take a similar approach,” Childs commented.