Microsoft Patch Tuesday: Nearly 70 issues, more than 20 rated critical
Microsoft Patch Tuesday: Nearly 70 issues, more than 20 rated critical

Microsoft patched nearly 70 security issues in its April 2018 Patch Tuesday release which includes patches for six Adobe Flash Player vulnerabilities, three of which were rated critical.  

More than 20 of the total releases were rated critical, five of which were in the Windows Font Library labeled as Microsoft Graphics in the bulletins, which can lead to a code execution through a web-based or file sharing attack.

Jimmy Graham, director of product management at Qualys told SC Media these updates should be prioritized for workstation-type devices as well as servers.

“The majority of the Microsoft critical vulnerabilities are in browsers and browser-related technologies,” Graham said. “It is recommended that these be prioritized for workstation-type devices.”

Graham went on to emphasize that any Microsoft system that accesses the internet should be patched as soon as possible.

The updates also included another Spectre patch that mitigates CVE-2017-5715 (aka Spectre Variant 2, branch target injection) for Windows 10 version 1709 running on AMD processors.

Greg Wiseman, Senior Security Researcher, Rapid7 told SC Media the ongoing Spectre/Meltdown saga continues to illustrate the complexity involved with trying to work around hardware vulnerabilities via software and that by default, applying this update will only protect against some attack scenarios.

“To prevent a malicious application run in user mode from being able to disclose the contents of kernel memory (user-to-kernel), the Indirect Branch Prediction Barrier must be enabled by adding certain registry keys and restarting,” Wiseman said. “This may negatively impact system performance, which is why it is not automatically enabled. Process-to-process and virtualized guest-to-host mitigations are enabled by default.”

Patches were also released for Microsoft Windows, Internet Explorer, Microsoft Edge, ChakraCore, Microsoft Office and Microsoft Office Services and Web Apps, Microsoft Malware Protection Engine, Microsoft Visual Studio, and the Microsoft Azure IoT SDK.

“While this vulnerability was identified between March and April Patch Tuesday's, CVE-2018-1038 should be a top priority for anyone who has Windows 7 for x64-based Systems or Windows Server 2008 R2 for x64-based Systems, and you have installed any of the servicing updates released during or after January 2018, you need to install 4100480 immediately to be protected from this Elevation of Privilege vulnerability,” said Chris Goettl, director of product management, security, for Ivanti

Goettl added that there are also few critical Kernel vulnerabilities resolved and a host of critical browser vulnerabilities that were resolved.