For this month’s Patch Tuesday, Microsoft has released patches covering 55 vulnerabilities, with 15 ranked as critical. This includes out-of-band Office patches from mid-January as well as patches for Adobe Flash that were released last week.
There are patches for a vulnerability (CVE-2018-0825) that impacts StructuredQuery in Windows servers and workstations. Exploitation of this vulnerability would be through a malicious file and would lead to remote code execution. This patch should be at the top of the priority list, aside from the Adobe Flash patches mentioned below.
There are also patches for vulnerabilities in Microsoft Outlook which could lead to remote code execution. Most of the remaining Microsoft vulnerabilities are for the Scripting Engine, which primarily impacts browsers. These patches should be prioritized on workstation-type devices.
Out-of-band patches were released in January for Microsoft Office’s Equation Editor, and Microsoft is ranking these as “Important.” These patches disable the Equation Editor functionality in Office to avoid further security issues.
Adobe has released several patches, including some from last week covering Flash, Reader, Acrobat, and Adobe Experience Manager. The Reader and Acrobat patches cover a whopping 41 vulnerabilities, while the Flash and Experience Manager patches each cover two. There are active exploits against the Flash vulnerabilities, and should be patched immediately, followed quickly by the Reader and Acrobat patches.
• Microsoft released updates for all supported client and server versions of Windows.
• Security updates are available for Microsoft Office, Adobe Flash, Microsoft Edge and Internet Explorer as well.
• All Windows systems are affected by one critical vulnerability.
Operating System Distribution
• Windows 7: 15 vulnerabilities of which 1 is rated critical and 14 are rated important
• Windows 8.1: 12 vulnerabilities of which 1 is rated critical, 10 are important, and 1 is moderate
• Windows 10 version 1607: 17 vulnerabilities of which 1 is rated critical and 16 are rated important
• Windows 10 version 1703: 18 vulnerabilities of which 1 is rated critical and 17 are rated important
• Windows 10 version 1709: 19 vulnerabilities of which 1 is rated critical and 18 are rated important
Windows Server products:
• Windows Server 2008: 11 vulnerabilities of which 1 is rated critical and 10 are rated important
• Windows Server 2008 R2: 14 vulnerabilities of which 1 is rated critical and 13 are rated important
• Windows Server 2012 and 2012 R2: 12 vulnerabilities of which 1 is rated critical 11 are rated important
• Windows Server 2016: 17 vulnerabilities of which 1 is rated critical and 16 are rated important
Other Microsoft Products
• Internet Explorer 11: 2 vulnerabilities, 1 critical, 1 important
• Microsoft Edge: 14 vulnerabilities, 11 critical, 2 important, 1 moderate