This article is more than 1 year old
Patch Tuesday heats up with pair of exploited zero-days squashed – plus 58 other vulns fixed
Summertiiiiiime, and the hacking is easy
Microsoft and Adobe have teamed up to deliver more than 70 patches with this month's Patch Tuesday batch released today.
Microsoft contributed the bulk of the fixes emitted this month, kicking out updates for 60 CVE-listed vulnerabilities in its products. These should be installed as soon as you're able to test and deploy them.
Among the highest priorities are a pair of zero-day bugs that are right now being exploited in the wild to compromise victims' Windows PCs. CVE-2018-8373, a remote code execution memory corruption error in the Internet Explorer scripting engine, and CVE-2018-8414, a remote code execution bug from invalid file path handling in Windows Shell, have both been leveraged by miscreants to commandeer computers.
The IE flaw is exploited by webpages to infect machines via unpatched browsers, while the Windows Shell programming blunder is abused by specially crafted PDF files. In addition to installing the Windows updates, admins will want to make sure they have this month's Adobe patches (more on that later) in place as soon as possible, too.
Redmond's updates
Readers will not be shocked to learn that most of this month's Microsoft fixes concern bugs in the browser and scripting engines. Patches for critical flaws in Internet Explorer, Edge, and Chakra Scripting account for 23 of the bugs, including 13 critical remote code execution vulnerabilities.
Outside of the browser, Microsoft has addressed a remote code execution buffer overflow flaw in SQL Server (CVE-2018-8273) and a memory corruption RCE hole in the Windows PDF Library component CVE-2018-8350.
Also catching the eye of security researchers was CVE-2018-8360, a data disclosure issue in .NET Framework that can cause information to spill over from one data stream into another in certain high-density server environments.
"On the surface, an information disclosure vulnerability in .NET doesn’t seem too bad," noted Dustin Childs of the Trend Micro Zero Day Initiative. "However, this particular bug could allow an attacker to access information in multi-tenant environments. It appears to mostly impact high-load/high-density environments as an attacker could potentially blend different network streams together."
Oracle: Run, don't walk, to patch this critical Database takeover bug
READ MOREEarlier today, El Reg spilled the beans on a trio of new design flaws in Intel processors. Microsoft has updated its operating system and hypervisor code to mitigate the hardware-level vulnerabilities. The fixes are detailed in a security advisory released with the monthly updates.
Microsoft Office will receive fixes for remote code execution bugs in Excel (CVE-2018-8375, CVE-2018-8379,) and PowerPoint (CVE-2018-8376.
Also patched were information disclosure flaws in Office (CVE-2018-8378), and Excel (CVE-2018-8382), as well as elevation of privilege flaws in Exchange (CVE-2018-8374) and Office (CVE-2018-8412).
Adobe patches Flash, Creative Cloud
For Adobe, August brings fixes for five CVE-listed remote code vulnerabilities in Flash Player and a pair in Acrobat/Reader. Both patches should be installed as soon as possible.
Adobe has also posted fixes for one privilege escalation flaw in Creative Cloud and three vulnerabilities in Experience Manager.
The releases from Microsoft and Adobe come on the heels of an urgent patch from Oracle for Database Server, giving enterprise IT admins will have plenty of work on their plates this week. ®