Critical Microsoft Patches to Apply This Month
Microsoft security updates are released on the second Tuesday of each month.
Microsoft has fixed 65 vulnerabilities this month, over a third of which are critical and stretch across OS, browser and Office environments.
With this month’s security update Microsoft patch Windows Kernel Elevation of Privilege Vulnerability for Windows 7 for x64-based Systems Service Pack 1, Windows Server 2008 R2 for x64-based Systems Service Pack 1 and Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation), operating systems.
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.
The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
If you are running Windows 7 for x64-based Systems or Windows Server 2008 R2 for x64-based Systems, and you have installed any of the servicing updates released during or after January 2018, you need to install 4100480 immediately to be protected from this vulnerability.
Elsewhere, Microsoft has disclosed but not patched an Important rated SharePoint elevation of privilege bug (CVE-2018-1034) which has been publicly disclosed but not exploited yet in the wild.
Greg Wiseman, senior security researcher at Rapid7 highlighted an unusual patch for a Microsoft Wireless Keyboard 850 vulnerability. A vulnerability in the Microsoft Wireless Keyboard 850 could allow an attacker who has physical access to a targeted device to bypass security restrictions for the device.
The vulnerability is due to improper cryptographic key management by the affected device. An attacker could exploit this vulnerability by extracting the Advanced Encryption Standard (AES) key from a targeted device and using the key to transmit arbitrary keyboard human interface device (HID) packets to the device dongle via a 2.4-GHz wireless connection. A successful exploit could allow the attacker to send arbitrary commands to the targeted system and intercept keystrokes from the system.
Microsoft confirmed the vulnerability and released software updates.
The April security release consists of security updates for the following software:
Please note the following information regarding the security updates:
Known Issues
4093112
4093118
4093108
Also this month, Microsoft finally removed its AV compliance key restriction designed to prevent BSOD crashes when installing Meltdown/Spectre updates.
Alongside Microsoft there are the ubiquitous Adobe updates for system administrators to deal with this month.
The firm has patched 19 vulnerabilities in Flash Player, Experience Manager, InDesign, Digital Editions, Coldfusion, and the PhoneGap Push Plugin, six of which are critical.
Microsoft has fixed 65 vulnerabilities this month, over a third of which are critical and stretch across OS, browser and Office environments.
With this month’s security update Microsoft patch Windows Kernel Elevation of Privilege Vulnerability for Windows 7 for x64-based Systems Service Pack 1, Windows Server 2008 R2 for x64-based Systems Service Pack 1 and Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation), operating systems.
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.
The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
If you are running Windows 7 for x64-based Systems or Windows Server 2008 R2 for x64-based Systems, and you have installed any of the servicing updates released during or after January 2018, you need to install 4100480 immediately to be protected from this vulnerability.
Elsewhere, Microsoft has disclosed but not patched an Important rated SharePoint elevation of privilege bug (CVE-2018-1034) which has been publicly disclosed but not exploited yet in the wild.
Greg Wiseman, senior security researcher at Rapid7 highlighted an unusual patch for a Microsoft Wireless Keyboard 850 vulnerability. A vulnerability in the Microsoft Wireless Keyboard 850 could allow an attacker who has physical access to a targeted device to bypass security restrictions for the device.
The vulnerability is due to improper cryptographic key management by the affected device. An attacker could exploit this vulnerability by extracting the Advanced Encryption Standard (AES) key from a targeted device and using the key to transmit arbitrary keyboard human interface device (HID) packets to the device dongle via a 2.4-GHz wireless connection. A successful exploit could allow the attacker to send arbitrary commands to the targeted system and intercept keystrokes from the system.
Microsoft confirmed the vulnerability and released software updates.
The April security release consists of security updates for the following software:
- Internet Explorer
- Microsoft Edge
- Microsoft Windows
- Microsoft Office and Microsoft Office Services and Web Apps
- ChakraCore
- Adobe Flash Player
- Microsoft Malware Protection Engine
- Microsoft Visual Studio
Please note the following information regarding the security updates:
- Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog.
- Starting in March 2017, a delta package will be available on the Microsoft Update Catalog for Windows 10 version 1607 and newer. This delta package contains just the delta changes between the previous month and the current release.
- Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
- In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.
- For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
Known Issues
4093112
4093118
4093108
Also this month, Microsoft finally removed its AV compliance key restriction designed to prevent BSOD crashes when installing Meltdown/Spectre updates.
Alongside Microsoft there are the ubiquitous Adobe updates for system administrators to deal with this month.
The firm has patched 19 vulnerabilities in Flash Player, Experience Manager, InDesign, Digital Editions, Coldfusion, and the PhoneGap Push Plugin, six of which are critical.