Microsoft’s June 2018 Patch Tuesday cumulative rollout for Windows 10 contains a mitigation for the fourth Spectre variant known as known as Speculative Store Bypass (CVE-2018-3639).
Other patches fix issues ranging from display brightness controls to adding support for the SameSite cookie web standard to Microsoft Edge and Internet Explorer.
Microsoft Windows support said the fixes in the update for CVE-2018-3639/Spectre are not enabled by default but must be enacted. “Windows client (IT pro) guidance, follow the instructions in KB4073119. For Windows Server guidance, follow the instructions in KB4072698,” Microsoft support said.
Allan Liska, threat intelligence analyst at Recorded Future, pointed to the patch issued for CVE-2018-8229 as being particularly important this month. It will fix a remote code execution vulnerability in the way the Chakra scripting engine handles objects in memory for Edge. Microsoft noted it could be corrupted in such a way that an attacker could execute arbitrary code as the user. The flaw would be exploited through the use of a specially crafted website and a social engineering campaign designed to entice the victim the accept malicious advertising or other content.
Included in Microsoft’s update were those issued from Adobe last week when that company issued patches for four vulnerabilities in Flash Player, including a zero-day flaw that attackers have been exploiting in the wild in targeted attacks against Windows users in the Middle East, possibly in Qatar. The actively exploited issue, CVE-2018-5002, is an arbitrary code execution bug caused by a stack-based buffer overflow in Flash Player versions 18.104.22.168 and earlier.
Other vulnerabilities that could lead to remote code execution that were patched were CVE-2018-8248, CVE-2018-8213, CVE-2018-8231 and CVE-2018-8225. The last item was of interest to Dustin Childs, of the Zero Day Initiative, who called it the most important update this cycle.
“This bug clearly wins for most critical this month. This vulnerability could allow an attacker to execute code at the local system level if they can get a crafted response to target the server,” he said in a blog.
Another highlighted issue that was fixed is the Windows denial of service vulnerability CVE-2018-8205. Microsoft said Windows improperly handles objects in memory which if exploited by an attacker could cause a target system to stop responding. To accomplish this the attacker would log on to the system and run a specially crafted application.
There were also 14 elevation of privilege issues patched, and seven Device Guard code integrity policy security feature bypass vulnerabilities which could let an attacker inject malicious code into a Windows PowerShell session.