Coming Soon: GET-IT: Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET-IT: Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET

Patch Tuesday -- April 2018

This month’s Patch Tuesday fixes 63 CVE vulnerabilities, 17 of which are critical for Windows 10.



Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

Let’s start with what didn’t happen as expected on Patch Tuesday this month and that’s the release of Windows 10 version 1803, or Spring Creators Update as Microsoft watchers believe it will be dubbed. According to Windows Central, Microsoft found a blocking bug at the last minute and decided to delay the release, possibly for a couple of weeks. But Insiders who already have build 17133, previously thought to be the RTM release, did receive a cumulative update.


This month’s update for Windows 10 for x64-based systems patches twenty-five vulnerabilities in total. Eleven of which are information disclosure, two privilege elevation, one security feature bypass, four denial of service, and seven remote code execution vulnerabilities. Critical updates for Edge and Internet Explorer include several memory corruption flaws that could allow an attacker to run arbitrary code on a user’s PC and a fix for Adobe Flash that encompasses three remote code execution flaws and three information disclosure vulnerabilities.

There are five remote code execution bugs (CVE-2018-1010, CVE-2018-1012, CVE-2018-1013, CVE-2018-1015, and CVE-2018-1016) in the graphics component of Windows that could allow an attacker to take control of a device using a specially-crafted font. Windows 7 gets six critical patches this month. Five relate to the font issue in the graphics component and CVE-2018-1004 is a remote code execution vulnerability in the VBScript Engine. Windows Defender is also patched for a remote code execution vulnerability (CVE-2018-0986).

Windows Server

This month’s update for Windows Server 2016 patches 27 vulnerabilities in total. Eleven of these are information disclosure, three privilege elevation, two security feature bypass, four denials of service, and seven remote code execution vulnerability. Windows Server 2012 R2 gets patches for twenty-three vulnerabilities.

Device Guard gets a fix (CVE-2018-0966) for a vulnerability that could allow an attacker to make an untrusted file appear to be trusted. And Active Directory gets patched for a problem where it incorrectly applies Network Isolation settings, potentially allowing an attacker that runs a specially-crafted application to bypass firewall policies applied to Modern Applications. CVE-2018-0963 is a kernel escalation of privilege vulnerability that could allow an attacker to run code with elevated permissions. There is also an information disclosure bug for Hyper-V that might allow virtual machines to see the contents of the host operating system’s memory (CVE-2018-0957).

Microsoft Office

Microsoft Office gets four fixes this month. There are remote code execution flaws in VBScript (CVE-2018-1004) and Excel (CVE-2018-0920), plus an information disclosure vulnerability in .RTF file handling (CVE-2018-0950). SharePoint gets an elevation of privilege fix (CVE-2018-1034) that plugs a hole where an attacker could send a specially crafted request to SharePoint and then run cross-site scripting attacks and run a script in the security context of the user. This flaw could allow an attacker to read content that they are not authorized to read, take actions on the SharePoint site on behalf of the user, and inject malicious content into the browser.


Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: