It's April 2018 – and Patch Tuesday shows Windows security is still foiled by fiendish fonts
Adobe's Flash also up the spout
Microsoft has released the April edition of its monthly security update, this time addressing a total of 63 CVE-listed vulnerabilities.
This month's update includes critical fixes for the usual suspects: Windows, Edge, Internet Explorer, and Office, as well as one flaw Redmond previously fixed with an unscheduled update. You should install these fixes as soon as you can, if your system hasn't already.
Just one of this month's patches is for a zero-day flaw; CVE-2018-1034 is an elevation of privilege vulnerability in SharePoint that, when exploited via a poisoned web request, allows an attacker to run script with the security clearance of the current user. Microsoft says the most likely use for the bug would be cross-site scripting attacks.
Among the more serious bugs are a set of five remote code execution vulnerabilities in the graphics component of Windows and Windows Server (CVE-2018-1010, CVE-2018-1012, CVE-2018-1013, CVE-2018-1015, CVE-2018-1016). Each of those vulnerabilities would allow an attacker to pwn PCs via a specially-crafted font, in some cases by simply putting the font on a web page viewed by the target.
"Those of us who lived through Duqu always shudder a bit when we see font-related bugs, and these have me downright shivering," writes Dustin Childs of the Zero Day Initiative.
"Since there are many ways to view fonts – web browsing, documents, attachments – it’s a broad attack surface and attractive to attackers."
Script, script, and script again
The usual crop of scripting engine bugs were patched for Edge and Internet Explorer. The two browsers combined for 10 memory corruption and remote code execution scripting vulnerabilities, while Internet Explorer also saw fixes for four additional (CVE-2018-0870, CVE-2018-0991, CVE-2018-1018, CVE-2018-1020) memory corruption remote code vulnerabilities of its own.
Office, meanwhile, is getting fixes for a number of nasty bugs, including remote code execution flaws in VBScript (CVE-2018-1004), Excel (CVE-2018-0920,) and an information disclosure bug in apps that handle .RTF files (CVE-2018-0950).
Server admins will want to take note of the fix for CVE-2018-0957, an information disclosure flaw that allows nefarious VMs to view memory contents of the host system outside of the hypervisor.
Mad March Meltdown! Microsoft's patch for a patch for a patch may need another patchREAD MORE
Childs notes that because Malware Protection Engine isn't part of the monthly patch schedule, this shouldn't be considered an 'out of band' fix. He is technically correct (the best kind of correct).
Microsoft even snuck in a hardware fix to the April updates. The patch load includes a fix for the Wireless 850 Keyboard to address a particularly nasty bug CVE-2018-8117 that lets an attacker bypass security checks with an old AES and record keystrokes or hijack and inject packets sent from the wireless keyboard to the PC.
Also, if you have a recent AMD processor, install KB4093112 as it contains Spectre CPU flaw fixes for your family of chips.
And now you're done with Windows...
Once you've installed the Windows updates, you'll want to make sure you get this month's fixes from Adobe.
They include an update to Flash Player that patches three remote code execution vulnerabilties and three information disclosure flaws. Microsoft has issued its own patch for the Internet Explorer version of Flash Player.
ColdFusion users will want to download an update to address five flaws; one remote code execution vulenrability, three information disclosure bugs, and a local privilege escalation flaw.
Adobe also kicked out fixes for three cross-site scripting bugs in Experience Manager, memory corruption and privilege elevation flaws in InDesign, information disclosure flaws in Digital Editions, and a Same Origin Method Execution flaw in the PhoneGap plugin. ®