Microsoft latest Patch Tuesday pack appears to be a massive one. In one go, Microsoft released fixes for 60 different vulnerabilities. This includes fixes for two zero-day vulnerabilities, while it also addresses some previously reported bugs. Microsoft has also released mitigations for few Intel’s side-channel vulnerabilities, including the latest L1TF attacks. Here is a quick overview of these patches.
Microsoft Patch Tuesday Patches Zero-Day Vulnerabilities
The latest Microsoft Patch Tuesday pack of August 2018 includes fixes for 60 different vulnerabilities. What’s more interesting is that the patch addresses two zero-day vulnerabilities as well besides 19 critical vulnerabilities.
The zero-day vulnerabilities include two remote code execution (RCE) flaws. The first vulnerability, CVE-2018-8373, exists in the Internet Explorer versions 9, 10 and 11. Microsoft explains about the flaw stating,
“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.”
Reportedly, an attacker taking advantage of this glitch could enjoy the same rights as of the current user. Thus, in case the user holds an admin account, the attacker could access all admin rights taking complete control of the affected system.
To exploit this vulnerability, the attacker might need to attract a user towards a specially crafted website via Internet Explorer. Or, the attacker can exploit other compromised websites or advertisements to entice a user.
On the other hand, the second zero-day is a Windows Shell Remote Code Execution Vulnerability (CVE-2018-8414). According to Microsoft,
“A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user.
Here again, an attacker could leverage admin rights if the current user holds an admin account. Exploiting this vulnerability requires an attacker to lure the user to click on a malicious file. To do this, the attacker might consider an email attack or could attract a user towards a compromised website with the malicious file. Either way, the attacker needs the user to click on the file.
Other Important Bug Fixes
Besides the zero-day flaws, Microsoft has also released fixes for several other software. This includes numerous security fixes for Adobe Flash Player and mitigation attempt for the previously reported Lazy FP State Restore (CVE-2018-3665). Furthermore, it also includes mitigation for the recently discovered L1TF vulnerabilities (CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646) affecting Intel CPUs.
Apart from these, the patches also address security flaws in Internet Explorer, Microsoft Office, .NET Framework, Microsoft Edge, Microsoft Windows, Microsoft SQL Server, Visual Studio, and Microsoft Exchange Server, and ChakraCore.
Make sure to keep your system updated so as to protect yourself from all these vulnerabilities addressed in Microsoft’s recent patch.
Let us know what you think about the latest patches from Microsoft in the comments below.