In this month’s Patch Tuesday, Microsoft released a disabled-by-default patch for Spectre 4, Adobe plugs a zero-day Flash vulnerability that can be exploited via Excel, and there are fixes for DNS, black screens, and Cortana.
This month sees Microsoft release 26 fixes for Windows 10 version 1709 and 7 updates for Microsoft Edge. Four of the patches for Windows 10 are critical remote-code execution exploits. One affects DNS and could allow a hacker to run code under the local system account by sending corrupted DNS responses to the target server. The most likely to be exploited is a media foundation memory corruption vulnerability that could allow an attacker to install programs; view, change, and delete data; or create new user accounts if the logged in user is persuaded to visit a malicious webpage.
As reported on Thurrott.com and discovered by McAfee, CVE-2018-8140 fixes a vulnerability that could allow an attacker with physical access to a device to run code with elevated rights, retrieve confidential information, and even change a user’s password by using Hey Cortana from the lock screen.
Some Windows 10 users were experiencing problems with a black screen after updating to Windows 10 version 1803. The month’s cumulative update for the April 2018 Update bumps the version number to 17134.112 and includes a fix for this issue.
Adobe has patched a zero-day flaw affecting Flash that could be exploited through Microsoft Excel. CVE-2018-8229 affects the Chakra Core scripting engine and could be exploited using specially crafted web content, allowing the attacker to get the same rights as the logged in user to install programs, modify data, and create new accounts. Microsoft believes that this flaw is likely to be exploited.
Microsoft has also patched the Spectre Variant 4 Speculative Store Bypass attack. This fix is only available for Windows 10, Windows Server 2016, Windows 7, and Windows Server 2008 R2. The fix is disabled by default because the risk isn’t as high as the other Spectre variants and the performance impact can be up to 8 percent. For more detailed information about enabling Spectre 4 protection, see Microsoft’s advisory here and Intel’s Spectre Variant 4 Microcode Update Off by Default on Petri.
Windows 7
Windows 7 32-bit edition gets 8 security updates, 6 Important, and 2 Critical. 3 are an elevation of privilege vulnerabilities, one information disclosure, and 2 denials of service. Both the critical vulnerabilities are remote code execution. Internet Explorer 11 has three remote code execution vulnerabilities, two of which are rated Critical.
Windows Server
Windows Server 2012 and Windows Server 2012 R2 get 8 security fixes, 6 rated Important and 2 Critical. There’s one important and one critical remote code execution vulnerability. Windows Server 2008 R2 also gets 8 security updates, including 2 Critical, both of which are remote code execution vulnerabilities. 3 of the important security updates are elevations of privilege vulnerabilities.
Microsoft Office
Microsoft Office 2016 gets 3 security updates, all rated Important. One is an escalation of privilege vulnerability in the way Outlook handles attachment headers and could be exploited if the victim is persuaded to open a malicious link or attachment. Excel has a remote code execution vulnerability that could allow an attacker to run code in the context of the logged in user.
Microsoft Security Servicing Commitment
Additionally this month, Microsoft released a draft document that explains why some vulnerabilities are patched more quickly than others. The document says that Microsoft waits to patch some vulnerabilities until the next major version of the operating system. In short, Microsoft patches vulnerabilities rated Critical or Important that affect security boundaries, like the division between kernel and user-mode code, virtual machines, and security features like BitLocker and Secure Boot. But defense-in-depth features, like User Account Control (UAC) and AppLocker, have to wait until the next major release to be patched.
That’s it for this month.
Follow Russell on Twitter @smithrussell.