Patch Tuesday -- July 2018
This month’s Patch Tuesday was a relatively quiet one. Microsoft made a minor update to Spectre v4 patches, issued critical updates only for desktop editions of Windows, and patched three vulnerabilities that had already been publicly disclosed.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
No Critical Patches for Windows Server
Microsoft issued 15 critical patches for Windows on Tuesday, July 10th. Unusually, they only apply to supported desktop editions of Windows, i.e. Windows 7 SP1 through to the Windows 10 April 2018 Update and not to any version of Windows Server. The patches affect Microsoft Edge, Internet Explorer, and the ChakraCore scripting engine. They could all lead to remote code execution, apart from one (CVE-2018-8324), which could cause information disclosure.
Publicly Disclosed Vulnerabilities
There are no zero-days in this month’s round of patches but there are three vulnerabilities that had already been publicly disclosed. CVE-2018-8313 is an elevation of privilege vulnerability and according to Microsoft, it is not being actively exploited. It affects Windows Server and desktop editions of Windows. Nevertheless, Microsoft says that is likely that attacks will occur.
CVE-2018-8314 is another elevation of privilege vulnerability that only applies to older versions of Windows. Finally, a Microsoft Edge spoofing vulnerability (CVE-2018-8278) affects Windows 10 Version 1803. An attacker could make it look like you are on a legitimate website. To exploit the vulnerability, hackers must either persuade the user to browse to a malicious website or be redirected to it.
Windows 10 1803 Promoted to Semi-Annual Channel
Windows 10 version 1803 build 17134.165, which is the build you get after installing this month’s Patch Tuesday cumulative update, is now being promoted by Microsoft for organizations updating on the semi-annual release channel (SAC). As reported by Brad Sams on Petri earlier this week, Microsoft is encouraging businesses to deploy Windows 10 version 1803. Microsoft’s recommendation doesn’t mean that you shouldn’t test version 1803 in your organization.
This month sees two Skype for Business vulnerabilities patched. One is remote code execution and the other a security feature bypass. Both are rated as important. Microsoft Office 2016 Click-to-Run (C2R) for 64-bit editions gets an important remote code execution patch and Microsoft Office 2010 Service Pack 2 (32-bit editions) gets a tampering fix that’s rated as low.
Adobe and Intel
Adobe patched Flash to plug CVE-2018-5007 and CVE-2018-5008, which are information disclosure and arbitrary code vulnerabilities respectively. Microsoft also made a minor update to the Spectre v4 patch that was first released last month.
BSOD After July Patches
Some users on Windows 10 are experiencing blue screens of death (BSODs) after applying this month’s patches, pointing to a tcpip.sys error. Windows 7 users might find that their network card stops working after applying the July update. Microsoft has offered a workaround for users experiencing this problem. Open Device Manager and select Scan for Hardware Changes from the Action menu.
That’s it for this month. Happy testing and patching.
Follow Russell on Twitter @smithrussell.