Microsoft’s July Patch Tuesday release covered more than 50 CVEs with 17 rated critical with the vast majority of these being in various Microsoft browsers.
All of the critically rated vulnerabilities could lead to remote code execution if exploited and almost all of these involve Internet Explorer and Edge with a few effecting ChokraCore.
Here are the details on Microsoft’s updates.
“There are also RCEs in Lync / Skype for Business (CVE-2018-8311), Access (CVE-2018-8312), SharePoint Server (CVE-2018-8300) and Office (CVE-2018-8281),” said Greg Wiseman, Senior Security Researcher at Rapid7.
Wiseman also noted that while no zero-days were listed this month three vulnerabilities had been publicly disclosed prior to the release: These are Windows OS this month. CVE-2018-8313and CVE-2018-8314 two privilege escalation vulnerabilities in Windows and a spoofing vulnerability in Edge whereby a user could be tricked into believing a malicious website is legitimate. The third is in how Edge handles specific HTML content. Possibly allowing an attacker to impersonate a legitimate website and trick a user into believing it is the legitimate website.
Some attention during this patch cycle was also paid to the on-going Spectre/Meltdown vulnerability with Microsoft offering up some updates and changes.
Microsoft also updated ADV180002 and ADV180012 regarding Meltdown and Spectre variants. ADV180002 looks like it just received some housekeeping so for variants 1 (CVE-2017-5753), 2 (CVE-2017-5715), and 3 (CVE-2017-5754) there are no updates other than documentation cleanup. ADV180012 was updated to state that variant 4 (CVE-2018-3639) for Speculative Store Bypass is updated on all supported Windows systems for Intel processors and that Microsoft is working with AMD to close the loop on AMD processor exposure to variant 4,” said Chris Goettl, Ivanti’s director of product management, security.