This Patch Tuesday has quite a few Microsoft fixes for both the OS and browsers. In all, 67 unique CVEs are addressed in 17 KB articles, with 21 CVEs marked Critical. 32 of these CVEs reference Remote Code Execution, 19 of which are Critical. Those who use Hyper-V have some updates to pay attention to as well.
OS, Browser and Office
In terms of prioritization, we recommend patching user-facing assets first, with a focus on OS, browser patches, and Office to resolve scripting engine vulnerabilities.
We recommend you first test and deploy the fixes for CVE-2018-8174, which addresses how the scripting engine handles memory objects. It should be noted that Microsoft lists this patch as Exploitation Detected, so this update should get immediate attention.
Usually browsers are targeted heavily, and this month is no exception. There are 18 CVEs marked as critical, with Microsoft rating them as Exploitation More Likely. So it is recommended to install the cumulative updates wherever possible to get the best coverage on any system that uses a browser to access the internet.
Hyper-V
In addition, Hyper-V has been getting some attention lately as well. While the vulnerabilities are rated as Exploitation Less Likely, it may be time to deploy Hyper-V updates as it has been getting more updates. There are two vulnerabilities that could enable a guest operating system to compromise the host. CVE-2018-0961 addresses abuse of vSMB packets, while CVE-2018-0959 could allow arbitrary code execution on the host from a guest OS.
Exchange
There is also a notable fix for a vulnerability in Exchange server you may want to review and deploy as well. CVE-2018-8153 is a spoofing vulnerability that could allow an attacker to trick a user into accessing a malicious website. The vulnerability does require user interaction, but it is important to reduce the attack surface, especially when it comes to email.
Adobe
There is one advisory for Flash Player, ADV180008, referencing CVE-2018-4944 from Adobe’s APSB18-16 bulletin for Flash Player. Additionally, Adobe released 2 other bulletins today for vulnerabilities in Creative Cloud and Adobe Connect.
Note: Microsoft recommends first fixing CVE-2018-8174, then to focus on all browser updates, and then turn your attention to Hyper-V.
Executive Summary
• Microsoft plans to distribute the Windows 10 version 1803 update automatically starting today. The release has a lot of bugs and suggestion are being made to block it for now.
•Microsoft released security updates for all client and server versions of the Windows operating system.
• All supported versions of Windows are affected by at least one critical security issue.
• Other Microsoft product with patches: Internet Explorer, Microsoft Edge, Microsoft Office, Adobe Flash Player, Microsoft .NET Framework, Microsoft Exchange Server.
Operating System Distribution
• Windows 7: 11 vulnerabilities of which 2 are rated critical, 7 important, and 1 low
• Windows 8.1: 11 vulnerabilities of which 2 are rated critical, 7 important, and 1 low
• Windows 10 version 1607: 18 vulnerabilities of which 3 are rated critical, 14 important and 1 low
• Windows 10 version 1703: 19 vulnerabilities of which 3 are rated critical, 15 important and 1 low
• Windows 10 version 1709: 20 vulnerabilities of which 3 are rated critical, 16 important and 1 low
• Windows 10 version 1803: 16 vulnerabilities of which 3 are rated critical, 12 important and 1 low
Windows Server products:
• Windows Server 2008 R2: 11 vulnerabilities which 2 are rated critical, 8 important, and 1 low
• Windows Server 2012 and 2012 R2: 11 vulnerabilities which 2 are rated critical, 8 important, and 1 low
• Windows Server 2016: 18 vulnerabilities of which 3 are rated critical, 14 important, and 1 low
Other Microsoft Products
• Internet Explorer 11: 9 vulnerabilities, 6 critical, 3 important
• Microsoft Edge: 18 vulnerabilities, 13 critical, 5 important
Direct update downloads
Updates for all supported versions of Windows may also be downloaded from the Microsoft Update Catalog website.
Windows 7 SP1 and Windows Server 2008 R2 SP
KB4103718— 2018-05 Security Monthly Quality Rollup for Windows 7
KB4103712 — 2018-05 Security Only Quality Update for Windows 7
Windows 8.1 and Windows Server 2012 R2
KB4103725 — 2018-05 Security Monthly Quality Rollup for Windows 8.1
KB4103715 — 2018-05 Security Only Quality Update for Windows 8.1
Windows 10 and Windows Server 2016 (version 1607)
KB4103723 — 2018-05 Cumulative Update for Windows 10 Version 1607
Windows 10 (version 1703)
KB4103731 — 2018-05 Cumulative Update for Windows 10 Version 1703
Windows 10 (version 1709)
KB4103727 — 2018-05 Cumulative Update for Windows 10 Version 1709
Windows 10 (version 1803)
KB4103721 — 2018-05 Cumulative Update for Windows 10 Version 1709