April 2018 kept Microsoft busy with vulnerabilities springing out of nowhere and adding to the delayed Windows 10 April 2018 Update. Windows 10 rollouts are now part of Patch Tuesday updates for May. Besides that, Microsoft fixed a few vulnerabilities that were already exploited in the wild. According to Microsoft’s Patch Tuesday security bulletin, 67 vulnerabilities were fixed in all, 23 of which were critical.
Here are some of the major fixes from Microsoft:
- CVE-2018-8174: Zero-day vulnerability named Double Kill involving Internet Explorer that also affected other applications using the IE kernel; believed to be exploited in the wild.
- CVE-2018-8141: Windows Kernel Information Disclosure Vulnerability; publicly disclosed and exploited.
- CVE 2018-8170: Elevation of privilege vulnerability affecting Windows image; publicly disclosed and exploited.
- CVE-2018-8120: Vulnerability in Win32K leading to privilege escalation.
May 2018 security updates for Microsoft products
Included in this month’s Patch Tuesday updates are patches for the following products:
- Microsoft Windows
- .NET framework
- Azure
- MS Office and Services
- ChakraCore
- Internet Explorer
- Microsoft Edge
- Adobe Flash Player
- Microsoft Exchange Server
Critical updates
Microsoft has labeled 23 of this month’s patch releases as critical. The impact of ignoring these critical patches and security updates can include remote code execution, information disclosure, denial of service, elevation of privilege, and security feature bypass—all indicators of a cyberattack.
The CVE details are as follows:
1. Chakra Scripting Engine Memory Corruption Vulnerability:
- CVE-2018-8130
- CVE-2018-8133
- CVE-2018-8177
- CVE-2018-0943
2. Hyper-V Remote Code Execution Vulnerability: CVE-2018-0959
3. Hyper-V vSMB Remote Code Execution Vulnerability: CVE-2018-0961
4. Microsoft Browser Memory Corruption Vulnerability: CVE-2018-8178
5. Microsoft Exchange Memory Corruption Vulnerability: CVE-2018-8154
6. Scripting Engine Memory Corruption Vulnerability:
- CVE-2018-8122
- CVE-2018-8128
- CVE-2018-8137
- CVE-2018-8139
- CVE-2018-8145
- CVE-2018-8146
- CVE-2018-8151
- CVE-2018-8153
- CVE-2018-8155
- CVE-2018-1022
- CVE-2018-8114
7. Windows Host Compute Service Shim Remote Code Execution Vulnerability: CVE-2018-8115
8. Windows VBScript Engine Remote Code Execution Vulnerability: CVE-2018-8174
Adobe Flash Player updates
There was one critical patch for Flash Player this month, which Adobe had fixed earlier: CVE-2018-4944. Read Adobe’s security advisory.
Non-security updates
Microsoft also released non-security updates for Office 2010, 2013, and 2016. View the entire list of non-security patches.
Patch Tuesday best practice
Microsoft and other vendors release timely hotfixes, rollups, service packs, etc. to ensure users aren’t exploited through various vulnerabilities. Be sure to take advantage of these security updates to keep your enterprise secure. Better yet, use automated patch management with scheduled deployment to keep your systems up-to-date. You can download a 30-day free trial of either Desktop Central or Patch Manager Plus to get started.