Patch Tuesday — April 2018

This month’s Patch Tuesday fixes 63 CVE vulnerabilities, 17 of which are critical for Windows 10.

Let’s start with what didn’t happen as expected on Patch Tuesday this month and that’s the release of Windows 10 version 1803, or Spring Creators Update as Microsoft watchers believe it will be dubbed. According to Windows Central, Microsoft found a blocking bug at the last minute and decided to delay the release, possibly for a couple of weeks. But Insiders who already have build 17133, previously thought to be the RTM release, did receive a cumulative update.

Windows

This month’s update for Windows 10 for x64-based systems patches twenty-five vulnerabilities in total. Eleven of which are information disclosure, two privilege elevation, one security feature bypass, four denial of service, and seven remote code execution vulnerabilities. Critical updates for Edge and Internet Explorer include several memory corruption flaws that could allow an attacker to run arbitrary code on a user’s PC and a fix for Adobe Flash that encompasses three remote code execution flaws and three information disclosure vulnerabilities.

There are five remote code execution bugs (CVE-2018-1010, CVE-2018-1012, CVE-2018-1013, CVE-2018-1015, and CVE-2018-1016) in the graphics component of Windows that could allow an attacker to take control of a device using a specially-crafted font. Windows 7 gets six critical patches this month. Five relate to the font issue in the graphics component and CVE-2018-1004 is a remote code execution vulnerability in the VBScript Engine. Windows Defender is also patched for a remote code execution vulnerability (CVE-2018-0986).

Windows Server

This month’s update for Windows Server 2016 patches 27 vulnerabilities in total. Eleven of these are information disclosure, three privilege elevation, two security feature bypass, four denials of service, and seven remote code execution vulnerability. Windows Server 2012 R2 gets patches for twenty-three vulnerabilities.

Device Guard gets a fix (CVE-2018-0966) for a vulnerability that could allow an attacker to make an untrusted file appear to be trusted. And Active Directory gets patched for a problem where it incorrectly applies Network Isolation settings, potentially allowing an attacker that runs a specially-crafted application to bypass firewall policies applied to Modern Applications. CVE-2018-0963 is a kernel escalation of privilege vulnerability that could allow an attacker to run code with elevated permissions. There is also an information disclosure bug for Hyper-V that might allow virtual machines to see the contents of the host operating system’s memory (CVE-2018-0957).

Microsoft Office

Microsoft Office gets four fixes this month. There are remote code execution flaws in VBScript (CVE-2018-1004) and Excel (CVE-2018-0920), plus an information disclosure vulnerability in .RTF file handling (CVE-2018-0950). SharePoint gets an elevation of privilege fix (CVE-2018-1034) that plugs a hole where an attacker could send a specially crafted request to SharePoint and then run cross-site scripting attacks and run a script in the security context of the user. This flaw could allow an attacker to read content that they are not authorized to read, take actions on the SharePoint site on behalf of the user, and inject malicious content into the browser.