For its July 2018 Patch Tuesday, Microsoft has patched 53 vulnerabilities. 17 of them are critical and 16 of those affect Internet Explorer and Edge.
“The 16 CVEs covering browsers should be prioritized for workstation type devices, meaning any system where users are commonly accessing the public internet through a browser or checking email. This includes multi-user servers that are used as remote desktops for users,”
According to Jimmy Graham, Director of Product Management at Qualys, the 16 CVEs covering browsers should be prioritized for workstation type devices, meaning any system where users are commonly accessing the public internet through a browser or checking email.
“This includes multi-user servers that are used as remote desktops for users,” he added.
The remaining critical vulnerability (CVE-2018-8327) affects the PowerShell Editor and PowerShell Extension, and can be leveraged to achieve remote code execution.
He also flagged the only low severity bug fixed in the update: CVE-2018-8310. It is a Microsoft Office vulnerability that could be exploited by attackers to embed untrusted TrueType fonts into an email.
“Bugs in fonts have been popular since 2013 and have been used in malware attacks in the past. This bug could allow them to spread and possibly even bypass traditional filters. That’s likely the reason Microsoft chose to go ahead and release a patch for this Low-rated vulnerability,” he explained.
Microsoft has also released updates for all supported Windows versions that provide mitigations for Lazy FP State Restore, the side-channel information disclosure attack on speculative execution used by Intel Core-based microprocessors. The company accompanied those updates with an advisory providing guidance on how to stay on top of the issue.
As per usual, Adobe has also marked Patch Tuesday by releasing security updates for its various products.
“Microsoft has provided patches for Flash on supported operating systems. These patches should be prioritized for all workstation type systems.”
Users of Adobe Reader or Acrobat are also advised to update these products as soon as possible.
Most of the CVE-numbered vulnerabilities plugged by Adobe this Tuesday came from Trend Micro’s Zero Day Initiative, and many are related to file format parsing.
“In the past, we saw Microsoft implement mitigations for certain types of vulnerabilities that shut down entire classes of bugs. To address the substantial number of bugs we continue to buy in Adobe products, they may need to take a similar approach,” Childs commented.