Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET!
Security

Patch Tuesday -- April 2018

This month’s Patch Tuesday fixes 63 CVE vulnerabilities, 17 of which are critical for Windows 10.

 

 

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

Let’s start with what didn’t happen as expected on Patch Tuesday this month and that’s the release of Windows 10 version 1803, or Spring Creators Update as Microsoft watchers believe it will be dubbed. According to Windows Central, Microsoft found a blocking bug at the last minute and decided to delay the release, possibly for a couple of weeks. But Insiders who already have build 17133, previously thought to be the RTM release, did receive a cumulative update.

Windows

This month’s update for Windows 10 for x64-based systems patches twenty-five vulnerabilities in total. Eleven of which are information disclosure, two privilege elevation, one security feature bypass, four denial of service, and seven remote code execution vulnerabilities. Critical updates for Edge and Internet Explorer include several memory corruption flaws that could allow an attacker to run arbitrary code on a user’s PC and a fix for Adobe Flash that encompasses three remote code execution flaws and three information disclosure vulnerabilities.

There are five remote code execution bugs (CVE-2018-1010, CVE-2018-1012, CVE-2018-1013, CVE-2018-1015, and CVE-2018-1016) in the graphics component of Windows that could allow an attacker to take control of a device using a specially-crafted font. Windows 7 gets six critical patches this month. Five relate to the font issue in the graphics component and CVE-2018-1004 is a remote code execution vulnerability in the VBScript Engine. Windows Defender is also patched for a remote code execution vulnerability (CVE-2018-0986).

Windows Server

This month’s update for Windows Server 2016 patches 27 vulnerabilities in total. Eleven of these are information disclosure, three privilege elevation, two security feature bypass, four denials of service, and seven remote code execution vulnerability. Windows Server 2012 R2 gets patches for twenty-three vulnerabilities.

Device Guard gets a fix (CVE-2018-0966) for a vulnerability that could allow an attacker to make an untrusted file appear to be trusted. And Active Directory gets patched for a problem where it incorrectly applies Network Isolation settings, potentially allowing an attacker that runs a specially-crafted application to bypass firewall policies applied to Modern Applications. CVE-2018-0963 is a kernel escalation of privilege vulnerability that could allow an attacker to run code with elevated permissions. There is also an information disclosure bug for Hyper-V that might allow virtual machines to see the contents of the host operating system’s memory (CVE-2018-0957).

Microsoft Office

Microsoft Office gets four fixes this month. There are remote code execution flaws in VBScript (CVE-2018-1004) and Excel (CVE-2018-0920), plus an information disclosure vulnerability in .RTF file handling (CVE-2018-0950). SharePoint gets an elevation of privilege fix (CVE-2018-1034) that plugs a hole where an attacker could send a specially crafted request to SharePoint and then run cross-site scripting attacks and run a script in the security context of the user. This flaw could allow an attacker to read content that they are not authorized to read, take actions on the SharePoint site on behalf of the user, and inject malicious content into the browser.

 

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.

RSVP Now

Sponsored By