Patch Tuesday heats up with pair of exploited zero-days squashed – plus 58 other vulns fixed
Summertiiiiiime, and the hacking is easy
Microsoft and Adobe have teamed up to deliver more than 70 patches with this month's Patch Tuesday batch released today.
Microsoft contributed the bulk of the fixes emitted this month, kicking out updates for 60 CVE-listed vulnerabilities in its products. These should be installed as soon as you're able to test and deploy them.
Among the highest priorities are a pair of zero-day bugs that are right now being exploited in the wild to compromise victims' Windows PCs. CVE-2018-8373, a remote code execution memory corruption error in the Internet Explorer scripting engine, and CVE-2018-8414, a remote code execution bug from invalid file path handling in Windows Shell, have both been leveraged by miscreants to commandeer computers.
The IE flaw is exploited by webpages to infect machines via unpatched browsers, while the Windows Shell programming blunder is abused by specially crafted PDF files. In addition to installing the Windows updates, admins will want to make sure they have this month's Adobe patches (more on that later) in place as soon as possible, too.
Readers will not be shocked to learn that most of this month's Microsoft fixes concern bugs in the browser and scripting engines. Patches for critical flaws in Internet Explorer, Edge, and Chakra Scripting account for 23 of the bugs, including 13 critical remote code execution vulnerabilities.
Outside of the browser, Microsoft has addressed a remote code execution buffer overflow flaw in SQL Server (CVE-2018-8273) and a memory corruption RCE hole in the Windows PDF Library component CVE-2018-8350.
Also catching the eye of security researchers was CVE-2018-8360, a data disclosure issue in .NET Framework that can cause information to spill over from one data stream into another in certain high-density server environments.
"On the surface, an information disclosure vulnerability in .NET doesn’t seem too bad," noted Dustin Childs of the Trend Micro Zero Day Initiative. "However, this particular bug could allow an attacker to access information in multi-tenant environments. It appears to mostly impact high-load/high-density environments as an attacker could potentially blend different network streams together."
Oracle: Run, don't walk, to patch this critical Database takeover bugREAD MORE
Earlier today, El Reg spilled the beans on a trio of new design flaws in Intel processors. Microsoft has updated its operating system and hypervisor code to mitigate the hardware-level vulnerabilities. The fixes are detailed in a security advisory released with the monthly updates.
Adobe patches Flash, Creative Cloud
The releases from Microsoft and Adobe come on the heels of an urgent patch from Oracle for Database Server, giving enterprise IT admins will have plenty of work on their plates this week. ®