May 2018 Patch Tuesday – Medium Weight, However One Active Exploit Needs Attention
This May’s Patch Tuesday has quite a few Microsoft fixes for both the OS and browsers. In all, 67 unique CVEs are addressed in 17 KB articles, with 21 CVEs marked Critical. 32 of these CVEs reference Remote Code Execution, 19 of which are Critical. Those who use Hyper-V have some updates to pay attention to as well.
OS, Browser and Office
In terms of prioritization, we recommend patching user-facing assets first, with a focus on OS, browser patches, and Office to resolve scripting engine vulnerabilities.
We recommend you first test and deploy the fixes for CVE-2018-8174, which addresses how the scripting engine handles memory objects. It should be noted that Microsoft lists this patch as Exploitation Detected, so this update should get immediate attention.
Usually browsers are targeted heavily, and this month is no exception. There are 18 CVEs marked as critical, with Microsoft rating them as Exploitation More Likely. So it is recommended to install the cumulative updates wherever possible to get the best coverage on any system that uses a browser to access the internet.
In addition, Hyper-V has been getting some attention lately as well. While the vulnerabilities are rated as Exploitation Less Likely, it may be time to deploy Hyper-V updates as it has been getting more updates.There are two vulnerabilities that could enable a guest operating system to compromise the host. CVE-2018-0961 addresses abuse of vSMB packets, while CVE-2018-0959 could allow arbitrary code execution on the host from a guest OS.
There is also a notable fix for a vulnerability in Exchange server you may want to review and deploy as well. CVE-2018-8153 is a spoofing vulnerability that could allow an attacker to trick a user into accessing a malicious website. The vulnerability does require user interaction, but it is important to reduce the attack surface, especially when it comes to email.
There is one advisory for Flash Player, ADV180008, referencing CVE-2018-4944 from Adobe’s APSB18-16 bulletin for Flash Player. Additionally, Adobe released 2 other bulletins today for vulnerabilities in Creative Cloud and Adobe Connect.
Summary: Microsoft recommends first fixing CVE-2018-8174, then to focus on all browser updates, and then turn your attention to Hyper-V.
Credit: Jimmy Graham, Qualys Product Manager