Many Microsoft Patches Released That Address Critical Issues; Update Systems Immediately

If you’re not one to follow Microsoft “Patch Tuesday” updates, the one released this week is pretty important. It fixes 67 vulnerabilities, including two that are actively being exploited in the wild. Two of them address publicly disclosed bugs. A whopping 21 are rated critical, 42 important, and only 4 were rated as low severity. They apply to Microsoft Windows, Internet Explorer, Edge, Office, Office Exchange Server, Outlook, .NET Framework, Microsoft Hyper-V, Chakra Core, Azure IoT SDK, as well as more. Pretty much, if you own anything Microsoft, you should pay attention to this latest patch release.

One of the most important ones addresses what is being called “Double Kill” by researchers. If it is exploited, it may allow an attacker to remotely take over your computer and execute malicious code. There are several ways it may make its way onto your device including via a malicious website or Microsoft Office documents.

Per the Microsoft advisory, “In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website.”

Another important one to be sure to update is considered one of the most critical of the bunch. It’s a “use after free” one in the Windows VBScript engine. It can be abused to force Internet Explorer to load and do something that you may not want it to and that may cause serious damage. It is a zero-day attack, meaning it’s being actively exploited now and uses malicious Microsoft Word documents to do its deeds. It was first identified by Kaspersky Lab and is designated by CVE-2018-8174 if you want more technical details. As is normal, malicious documents get emailed. Remember not to click attachments you are not expecting, come from unknown senders, or that seem suspicious in any way.

Another significant one is a Hyper-V fix. It’s CVE-2018-0961. The advisory states that it may allow an attacker to “run a specially crafted application that could cause the Hyper-V host operating system to execute arbitrary code.”

How can any significant Patch Tuesday be complete without a critical fix for Adobe Flash Player. It fixes a “type confusion” flaw. It can be exploited and allow arbitrary code to be executed on a system.

There are many more, but suffice it to say that everyone is encouraged to update their systems as soon as possible. If you aren’t quite sure where to start, Microsoft offered some help. First, fix CVE-2018-8174, which addresses the “use after free” issue. Then go to the Hyper V issue. After that, just keep making your way down the list.

In the meantime, take note that Microsoft is no longer supporting Windows 10 version 1607 (the “Anniversary Update”). Business users can still get updates for six months or choose to pay for expensive extended support contracts.

For installing security updates, head on to Settings, then Update & Security, then Windows Update, and finally Check for updates. Alternatively, you can install the updates manually, should you choose. Whatever you do, get to these right away.

Stickley on Security
Published May 11, 2018