Patch Tuesday heats up with pair of zero-days, plus 58 other fixes
Microsoft and Adobe have teamed up to deliver more than 70 patches with this month’s Patch Tuesday scheduled release.
Microsoft is making the bulk of the patch releases this month, kicking out fixes for 60 CVE-listed vulnerabilities in its products.
Among the highest priorities are a pair of bugs that are currently being targeted in the wild for zero day attacks. CVE-2018-8373, a remote code execution memory corruption error in the Internet Explorer scripting engine, and CVE-2018-8414, a remote code execution bug from invald file path handling in Windows Shell, have both been the subject of active attacks.
The IE bug is being built into web pages that can infect unpatched browsers, while the Windows Shell bug was being hidden inside PDF files with calls to vulnerable file types embedded in the documents. This means that, in addition to the Windows updates, admins will want to make sure they have this month’s Adobe patches (more on that later).
Readers will not be shocked to learn that most of this month’s Microsoft fixes concern bugs in the browser and scripting engines. Patches for critical flaws in Internet Explorer, Edge, and Chakra Scripting account for 23 of the bugs, including 13 critical remote code execution vulnerabilities.
Outside of the browser, Microsoft has addressed a remote code execution buffer overflow flaw in SQL Server (CVE-2018-8273) and a memory corruption RCE hole in the Windows PDF Library component CVE-2018-8350.
Also catching the eye of security researchers was CVE-2018-8360, a data disclosure issue in .NET Framework that can cause information to spill over from one data stream into another in certain high-density server environments.
“On the surface, an information disclosure vulnerability in .NET doesn’t seem too bad,” noted Dustin Childs of the Trend Micro Zero Day Initiative. “However, this particular bug could allow an attacker to access information in multi-tenant environments. It appears to mostly impact high-load/high-density environments as an attacker could potentially blend different network streams together.”
Oracle: Run, don’t walk, to patch this critical Database takeover bug
Earlier today, El Reg spilled the beans on a trio of new microcode flaws in Intel processors. Microsoft is working to shore up its part by patching the three flaws. The fixes are detailed in a security advisory released with the monthly updates.
Microsoft Office will receive fixes for remote code execution bugs in Excel (CVE-2018-8375, CVE-2018-8379,) and PowerPoint (CVE-2018-8376.
Also patched were information disclosure flaws in Office (CVE-2018-8378), and Excel (CVE-2018-8382), as well as elevation of privilege flaws in Exchange (CVE-2018-8374) and Office (CVE-2018-8412).
Adobe patches Flash, Creative Cloud
For Adobe, August brings fixes for five CVE-listed remote code vulnerabilities in Flash Player and a pair in Acrobat/Reader. Both patches should be installed as soon as possible.
Adobe has also posted fixes for one privilege escalation flaw in Creative Cloud and three vulnerabilities in Experience Manager.
The releases from Microsoft and Adobe come on the heels of an urgent patch from Oracle for Database Server, giving enterprise IT admins will have plenty of work on their plates this weel ®
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/14/august_bank_holiday/