This month’s Patch Tuesday is medium in weight, with 54 CVEs containing 17 Critical. All but two of the Critical vulnerabilities are in Microsoft’s browsers or browser-related technologies. An additional speculative execution vulnerability announced in June was patched as well. Adobe has also released patches covering multiple products each with multiple CVEs.
Browser Vulnerabilities
The 16 CVEs covering browsers should be prioritized for workstation type devices, meaning any system where users are commonly accessing the public internet through a browser or checking email. This includes multi-user servers that are used as remote desktops for users.
Lazy FP State Restore
Following June’s Patch Tuesday, Microsoft released information on all supported versions of Windows covering a new side-channel attack on speculative execution. This vulnerability is similar to other Meltdown/Spectre vulnerabilities and does require the attacker to execute code on a vulnerable system. Patches have been made available for this Patch Tuesday, and are ranked as Important.
PowerShell Editor Services
A vulnerability was patched in PowerShell Editor Services. Microsoft has not provided a CVSS score for this vulnerability at the time of this posting, but has ranked it as Critical.
Microsoft Exchange / Oracle Outside In library
Microsoft also released out-of-band patches in June for Exchange Server that addresses vulnerabilities patched in the Oracle Outside In library. These patches should be prioritized for all Exchange servers.
Adobe
Adobe has released several patches covering Acrobat, Reader, Flash, Adobe Connect, and Adobe Experience Manager. Vulnerabilities in Acrobat, Reader, and Flash have been marked as critical. Flash has one critical CVE, while Acrobat and Reader have over 50. Microsoft has provided patches for Flash on supported operating systems. These patches should be prioritized for all workstation type systems.
Executive Summary
- Microsoft released security updates for all client and server versions of Windows.
- No critical vulnerabilities for all client and server versions of Windows.
- Critical vulnerabilities in Edge and Internet Explorer.
- Other Microsoft products with security updates are: Microsoft Office, .NET Framework, ASP.NET, Visual Studio, Skype for Business and Microsoft Lync, and Internet Explorer / Microsoft Edge
Operating System Distribution
- Windows 7: 7 vulnerabilities of which 7 are important.
- Windows 8.1: 9 vulnerabilities of which 9 are important.
- Windows 10 version 1607: 8 vulnerabilities of which 8 are important.
- Windows 10 version 1703: 8 vulnerabilities of which 8 are important.
- Windows 10 version 1709: 8 vulnerabilities of which 8 are important.
- Windows 10 version 1803: 7 vulnerabilities of which 7 are important.
Windows Server products
- Windows Server 2008 R2: 8 vulnerabilities of which 8 are important.
- Windows Server 2012 and 2012 R2: 9 vulnerabilities of which 9 are important.
- Windows Server 2016: 8 vulnerabilities of which 8 are important.
Other Microsoft Products
- Internet Explorer 11: 6 vulnerabilities, 4 critical, 2 important
- Microsoft Edge: 19 vulnerabilities, 12 critical, 7 important
Direct update downloads
Microsoft publishes downloads of all updates that it releases on the company’s Microsoft Download Center website.
Windows 7 SP1 and Windows Server 2008 R2 SP
- KB4338818 — 2018-07 Security Monthly Quality Rollup for Windows 7
- KB4338823 — 2018-07 Security Only Quality Update for Windows 7
Windows 8.1 and Windows Server 2012 R2
- KB4338815 — 2018-07 Security Monthly Quality Rollup for Windows 8.1
- KB4338824 — 2018-07 Security Only Quality Update for Windows 8.1
Windows 10 and Windows Server 2016 (version 1607)
- KB4338814 — 2018-07 Cumulative Update for Windows 10 Version 1607
Windows 10 (version 1703)
- KB4338826 — 2018-07 Cumulative Update for Windows 10 Version 1703
Windows 10 (version 1709)
- KB4338825 — 2018-07 Cumulative Update for Windows 10 Version 1709
Windows 10 (version 1803)
- KB4338819 — 2018-07 Cumulative Update for Windows 10 Version 1709