
close
close
In what Microsoft says will be the last cumulative update in 2018 before the holiday season, there are patches for 38 CVEs, including a zero-day.
advertisment
This month there are patches for 12 CVEs for Windows 10 and Server 2016, 2 of which are rated critical. CVE-2018-8626 is a DNS server heap overflow vulnerability that could allow an attacker to run arbitrary code in the context of the Local System Account on Windows Servers by sending malicious requests to servers where the DNS service is installed. A remote code execution vulnerability in Microsoft Text-To-Speech could let an attacker take control of affected systems. Users who run with fewer privileges are at less risk.
There are three escalation of privilege patches rated important, six information disclosure patches and one denial of service, all rated important. CVE-2018-8611 is a Windows kernel escalation of privilege vulnerability where the kernel fails to properly handle objects in memory, allowing an attacker to run code in kernel mode. This flaw would require an attacker to log in to a system and then run code to exploit the vulnerability. Microsoft says that this flaw is already being exploited.
The Microsoft Edge and ChakraCore are patched for 5 critical remote code execution vulnerabilities. All of them could allow an attacker to run arbitrary code in the context of the logged-on user, so users without administrative privileges are at less risk. The .NET Framework also gets a patch for a remote code injection vulnerability that could allow an attacker to install programs and create new accounts with full user rights. Internet Explorer 11 gets three remote code execution patches, one of which is a memory corruption vulnerability that is rated critical and it could allow an attacker to run code in the context of the logged-on user.
Windows 7, Server 2008, and Server 2008 R2 get 9 patches this month. Two are for escalation of privilege – see above for information on CVE-2018-8611 – and the rest are information disclosure. CVE-2018-8641 is a critical Win32k elevation of privilege vulnerability but it is not currently being exploited.
advertisment
Exchange Server 2016 Cumulative Update 10 and 11 get an important patch to fix a tampering vulnerability that could be used to change users’ profile data. Microsoft SharePoint Enterprise Server 2016 gets three patches for elevation of privilege, remote code execution, and spoofing flaws, all rated important. Microsoft Dynamics NAV 2016 and 2017 get a patch for an important spoofing flaw that could allow an attacker to read data the logged-in user isn’t authorized to view and take actions on the victim’s behalf, like changing permissions and deleting data.
Office 365 ProPlus (Click to Run) gets six important patches. Four are remote code execution flaws and two are information disclosure. Users running without administrative privileges are at less risk from the remote code execution flaws.
Patches for Flash Player were already released a few days before Patch Tuesday, but new versions of Acrobat and Reader were released, fixing 87 vulnerabilities, 39 of which are critical.
More from Russell Smith
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Security
CISA Warns Federal Agencies to Mitigate Critical VMware Vulnerabilities by May 23
May 20, 2022 | Rabia Noureen
CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers
May 17, 2022 | Rabia Noureen
Microsoft's New Security Experts Service Protects Businesses Against Ransomware Attacks
May 9, 2022 | Rabia Noureen
Microsoft, Google, and Apple to Expand Passwordless Login Across All Major Platforms
May 5, 2022 | Rabia Noureen
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group