Search the Petri IT Knowledgebase

The Unofficial M365 Changelog

Sponsors

Podcasts

Learning Center
search icon

close

Icon for Latest Whitepaper

Latest Whitepaper

Choosing an MFA Solution for Your Active Directory Environment? Ask These 15 Questions.
Icon for On-Demand Webinar

On-Demand Webinar

Combating Cyberattacks in 2022: Prepare to Defend Your Active Directory
Icon for Upcoming Conference

Upcoming Conference

GET-IT Microsoft Cloud Security and Compliance 1-Day Virtual Conference
Icon for Ebook

Ebook

The Forrester New Wave™: SaaS Application Data Protection, Q4 2021

Home

Security

Patch Tuesday — April 2018

Author avatar - Russell Smith

Russell Smith

 |

Apr 18, 2018

This month’s Patch Tuesday fixes 63 CVE vulnerabilities, 17 of which are critical for Windows 10.

advertisment

 

 

Let’s start with what didn’t happen as expected on Patch Tuesday this month and that’s the release of Windows 10 version 1803, or Spring Creators Update as Microsoft watchers believe it will be dubbed. According to Windows Central, Microsoft found a blocking bug at the last minute and decided to delay the release, possibly for a couple of weeks. But Insiders who already have build 17133, previously thought to be the RTM release, did receive a cumulative update.

Windows

This month’s update for Windows 10 for x64-based systems patches twenty-five vulnerabilities in total. Eleven of which are information disclosure, two privilege elevation, one security feature bypass, four denial of service, and seven remote code execution vulnerabilities. Critical updates for Edge and Internet Explorer include several memory corruption flaws that could allow an attacker to run arbitrary code on a user’s PC and a fix for Adobe Flash that encompasses three remote code execution flaws and three information disclosure vulnerabilities.

advertisment

There are five remote code execution bugs (CVE-2018-1010, CVE-2018-1012, CVE-2018-1013, CVE-2018-1015, and CVE-2018-1016) in the graphics component of Windows that could allow an attacker to take control of a device using a specially-crafted font. Windows 7 gets six critical patches this month. Five relate to the font issue in the graphics component and CVE-2018-1004 is a remote code execution vulnerability in the VBScript Engine. Windows Defender is also patched for a remote code execution vulnerability (CVE-2018-0986).

Windows Server

This month’s update for Windows Server 2016 patches 27 vulnerabilities in total. Eleven of these are information disclosure, three privilege elevation, two security feature bypass, four denials of service, and seven remote code execution vulnerability. Windows Server 2012 R2 gets patches for twenty-three vulnerabilities.

Device Guard gets a fix (CVE-2018-0966) for a vulnerability that could allow an attacker to make an untrusted file appear to be trusted. And Active Directory gets patched for a problem where it incorrectly applies Network Isolation settings, potentially allowing an attacker that runs a specially-crafted application to bypass firewall policies applied to Modern Applications. CVE-2018-0963 is a kernel escalation of privilege vulnerability that could allow an attacker to run code with elevated permissions. There is also an information disclosure bug for Hyper-V that might allow virtual machines to see the contents of the host operating system’s memory (CVE-2018-0957).

Microsoft Office

Microsoft Office gets four fixes this month. There are remote code execution flaws in VBScript (CVE-2018-1004) and Excel (CVE-2018-0920), plus an information disclosure vulnerability in .RTF file handling (CVE-2018-0950). SharePoint gets an elevation of privilege fix (CVE-2018-1034) that plugs a hole where an attacker could send a specially crafted request to SharePoint and then run cross-site scripting attacks and run a script in the security context of the user. This flaw could allow an attacker to read content that they are not authorized to read, take actions on the SharePoint site on behalf of the user, and inject malicious content into the browser.

advertisment

 

More from Russell Smith

TWiIT ep20

Windows 11 Approved for Broad Deployment and 'One Outlook' Drops for Insiders
This Week in IT Ep 19

Microsoft Takes on Rival Calendly with Outlook Bookings - Plus the Latest IT News Updates
Vertical tabs in Edge and Chrome

Find Open Tabs Faster in Chrome and Edge! - Plus IT News Update and Petri Spotlight

advertisment

Petri Newsletters

Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.

advertisment

More in Security

Cloud Computing

Build 2022: Microsoft Boosts Data Analytics and Cybersecurity in New Training & Certifications

May 24, 2022 | Rabia Noureen

Network Security

Microsoft Defender for Office 365 to Get Preset Security Policy Improvements In June

May 23, 2022 | Rabia Noureen

Security

Microsoft Detects 254% Spike in XorDDoS Attacks on Linux Servers

May 23, 2022 | Rabia Noureen

Security

CISA Warns Federal Agencies to Mitigate Critical VMware Vulnerabilities by May 23

May 20, 2022 | Rabia Noureen

Windows Server 3 Hero Approved

CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers

May 17, 2022 | Rabia Noureen

Security

F5 Confirms New Remote Code Execution Flaw in BIG-IP Systems

May 9, 2022 | Rabia Noureen

Most popular on petri

Log in to save content to your profile.

Login

Sign Up

Username/Email

Password

Forgot Password?

Login

Article saved!

Access saved content from your profile page. View Saved

Reach out

Contact Us

Advertising

About Us

Media Kit

Learn More

Podcasts

Learning Center

Webinars

Sitemap

Windows

Cloud

Office 365

Servers

Join The Conversation

Create a free account today to participate in forum conversations, comment on posts and more.

Copyright ©2019 BWW Media Group

Terms and Conditions of Use

 |

Privacy Policy