This Patch Tuesday covers a lot of vulnerabilities, but in terms of critical updates, it is still light. Out of the 75 vulnerabilities covered, only 15 are marked as critical. Adobe has released patches as well, covering 7 vulnerabilities. All of the critical vulnerabilities from Microsoft are in browsers and browser-related technologies. It is recommended that these be prioritized for workstation-type devices. Any system that accesses the Internet via a browser should be patched.
Out of the remaining “Important” vulnerabilities, one stands out. CVE-2018-0886 is a vulnerability in CredSSP, which is used to process authentication requests. While CredSSP is used for other applications, the attack scenario mentioned by Microsoft involves Remote Desktop. The update covers both the CredSSP protocol used by the RDP server as well as the RDP clients. Group Policy settings must be enabled to ensure full mitigation of the vulnerability for RDP. Microsoft has also given a tentative timeline for additional updates. In April, new versions of the RDP client will be released to add better error messages, and in May an update will be released to prevent clients from connecting using insecure versions of CredSSP.
CVE-2018-0883 is also worth noting, as it is a remote code execution vulnerability in the Windows Shell. It does require the user to download and open a malicious file in order to exploit it, but this patch should also be prioritized for workstation-type systems.
Microsoft has also released patches for Meltdown and Spectre covering more operating systems. 32-bit versions of Windows 7 and 8.1, as well as Server 2008 and 2012 now have mitigations for Meltdown and Spectre. There are still no known attacks on these vulnerabilities.
For Adobe, an update was released for Flash, which is distributed by Microsoft and Adobe to cover all supported platforms. This patch remediates 2 critical vulnerabilities and should be prioritized for workstation-type devices. There are currently no active attacks against these vulnerabilities. Updates were also released for Adobe Connect and Dreamweaver, covering another 3 vulnerabilities. The Dreamweaver vulnerability is marked as Critical.
• Security updates are available for all supported versions of Windows (client and server).
• Other Microsoft products with security updates are: Internet Explorer, Microsoft Edge, Microsoft Exchange Server, PowerShell Core, Adobe Flash, Microsoft Office
• No critical vulnerabilities for Windows versions but for Microsoft Edge and Internet Explorer.
• Microsoft lifted the antivirus compatibility check on Windows 10 version 1607, 1703 and 1709.
Operating System Distribution
• Windows 7: 21 vulnerabilities of which 21 are rated important
• Windows 8.1: 20 vulnerabilities of which 20 are rated important
• Windows 10 version 1607: 29 vulnerabilities of which 29 are rated important
• Windows 10 version 1703: 28 vulnerabilities of which 28 are rated important
• Windows 10 version 1709: 24 vulnerabilities of which 24 are rated important
Windows Server products:
• Windows Server 2008: 21 vulnerabilities of which 21 are rated important
• Windows Server 2008 R2: 22 vulnerabilities of which 22 are rated important
• Windows Server 2012 and 2012 R2: 21 vulnerabilities of which 21 are rated important
• Windows Server 2016: 29 vulnerabilities of which 29 are rated important
Other Microsoft Products
• Internet Explorer 11: 7 vulnerabilities, 2 critical, 5 important
• Microsoft Edge: 16 vulnerabilities, 12 critical, 4 important