Microsoft patches 68 Windows vulnerabilities via May update
10 May 2018
Microsoft patched as many as 68 security vulnerabilities this week, including vulnerabilities that could be exploited by hackers to execute code in the context of the logged in user as well as a privilege escalation vulnerability affecting Windows 10 versions.
The security patches released by Microsoft are expected to fix security flaws in popular programmes such as Internet Explorer, Microsoft Edge browser, Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps, Microsoft Exchange Server and Adobe Flash Player.
Several critical vulnerabilities fixed
According to Tyler Reguly, Manager of Software Development with Tripwire, vulnerabilities patched by Microsoft this week included a vulnerability in VBScript that allowed attackers to execute code in the context of the logged in user. This could be exploited via certain web browsers or Microsoft Office documents. A vulnerability named CVE-2018-8141 impacted Windows 10 Version 1709 and Windows Server version 1709 and could lead to information disclosure, enabling hackers to compromise systems further.
A couple of privilege escalation vulnerabilities have also been patched by Microsoft. While CVE-2018-8120 allowed an attacker to execute code in kernel mode in Windows 7, Windows Server 2008 and Windows Server 2008 R2 devices, CVE-2018-8170 affected Windows 10 versions 1703 and 1709 and allowed hackers to take advantage of a flaw in the way the Windows kernel image handles objects in memory in order to execute code with higher privileges.
As many as fifteen versions of Microsoft Windows OS were found to be affected by a critical vulnerability in Adobe Flash Player that allowed attackers to carry out remote code execution. These versions included the latest ones such as Windows 10 Version 1607 for 32-bit Systems, Windows 10 Version 1703 for 32-bit Systems, Windows 10 Version 1803 for 32-bit Systems, and Windows 10 Version 1803 for x64-based Systems.
“In a web-based attack scenario where the user is using Internet Explorer for the desktop, an attacker could host a website that contains a webpage that is used to exploit any of these vulnerabilities. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit any of these vulnerabilities,” said Microsoft in a blog post.
“Internet Explorer in the Windows 8-style UI will only play Flash content from sites listed on the Compatibility View (CV) list. This restriction requires an attacker to first compromise a website already listed on the CV list. An attacker could then host specially crafted Flash content designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website.
“An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an instant message that takes users to the attacker’s website, or by opening an attachment sent through email,” it added.
Second major fix in two months
Back in March, Microsoft had also released a series of security patches for critical Windows 10 programmes like Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps, Microsoft Exchange Server, ASP.NET Core, .NET Core, PowerShell Core, ChakraCore and Adobe Flash.
The March security patch series introduced security patches for Windows 10 version 1607 and newer, and also fixed a code execution vulnerability in the Credential Security Support Provider protocol (CredSSP) that allowed attackers with MitM capabilities to gain full access to a Remote Desktop Protocol session.
Naming the vulnerability as CVE-2018-0886, Microsoft said that to be fully protected against the vulnerability, users must enable Group Policy settings on their systems and update their Remote Desktop clients. The Group Policy settings are disabled by default to prevent connectivity problems.