Here we go again. It’s August 14, and after last month’s buggy patches – with numerous known issues, particularly regarding .NET, Windows 7 and 8.1 – it’s not surprising that many IT pros are feeling at least a little wary but what might be in store this time. There were enough problems that Woody Leonhard over at Computerworld advised users to skip the July updates, and Susan Bradley wrote an open letter to Microsoft top management regarding the quality of recent updates. Ouch.

As expected, this month brings new updates for the .NET Framework (presumably to fix last month ’s problems and get it right this time), as well as the usual updates for Windows client and server operating systems, the Microsoft web browsers, Office, and Adobe Flash.  Also, there are updates to ChakraCore and Exchange Server and SQL Server, as well as Visual Studio. In the Release Notes, you’ll see several known issues listed; some of these are simple instructions to run the update in administrative mode, but others are more serious.

If you peruse the CVEs addressed today in the Security Update Guide, you will see a whole slew of critical remote code execution (RCE) vulnerabilities are being patched. In all, sixty vulnerabilities are fixed across all the products in this batch of patches. Two of those are zero-day vulnerabilities – that is, security flaws that are already being exploited in the wild. These include:

  • Windows Shell remote code execution CVE-2018-8414This RCE issue is caused by Windows Shell not properly validating file paths when executing SettingContent-ms files, and can be used by an attacker to take control of the affected system.
  • Internet Explorer scripting engine memory corruption vulnerability CVE-2018-8373 – This is another RCE vulnerability that an attacker can exploit to execute arbitrary code in the context of the current user. It can be exploited via web-based attacks or email documents that embed the IE rendering engine.

Also addressed by the August updates is the Cortana login bypass issue, CVE-2018-8253, that was discovered by McAfee and reported to Microsoft in June, which could be exploited to force Edge to navigate to a URL controlled by the attacker.

As always, the Malicious Software Removal Tool (MSRT) is updated to include the latest malware definitions.

Security Advisories

The following security advisory was released on Patch Tuesday this month:

  • ADV180018 – Microsoft Guidance to mitigate L1TF variant – This is an advisory regarding a new speculative execution side-channel vulnerability called L1 Terminal Fault, assigned vulnerabilities CVE-2018-3615, -3620, and -3646. These are of the same type as the infamous Spectre and Meltdown vulnerabilities, and both firmware and software updates are needed to protect against these vulnerabilities.
  • ADV180020 ­– This is the usual security advisory regarding the update for Adobe Flash, which applies to all versions of Windows 10, Windows 8.1 and RT 8.1, and Windows Server versions 2012, 2012 R2, and 2016. The update (Adobe APSB18-25) is rated Priority 2 by Adobe and addresses five vulnerabilities, all of which are rated important. These include three information disclosure, one security mitigation bypass, and one privilege escalation issue. The advisory describes a number of mitigations and workarounds.
  • ADV180021 – This is an advisory regarding a defense-in-depth update for Microsoft Outlook 2010, 2013, 2016, and 2016 Click-to-Run.

The following previously released advisory was updated on August 14:

  • ADV180016 – Microsoft Guidance for Lazy FP State Restore

Operating system, OS components, and web browser updates

The following updates to the Windows operating systems were released on August 14:

KB4343885 for Windows 10, v1703 (also contains updates for Windows 10 Mobile)

  • Protects against a new speculative execution side-channel vulnerability known as L1 Terminal Fault (L1TF) that affects Intel® Core® processors and Intel® Xeon® processors (CVE-2018-3620and CVE-2018-3646).
  • Addresses an issue that causes Internet Explorer to stop working for certain websites. 
  • Updates support for the draft version of the Token Binding protocol v0.16. 
  • Addresses an issue that causes Device Guard to block some ieframe.dll class IDs after installing the May 2018 Cumulative Update. 
  • Ensures that Internet Explorer and Microsoft Edge support the preload=”none” tag.
  • Addresses a vulnerability related to the Export-Modulemember() function when used with a wildcard (*) and a dot-sourcing script.
  • Addresses an issue that was introduced in the July 2018 .NET Framework update. Applications that rely on COM components were failing to load or run correctly because of “access denied,” “class not registered,” or “internal failure occurred for unknown reasons” errors.
  • Security updates to Windows Server.

KB4343887 for Windows 10 v1607 and Windows Server 2016.

  • Protects against a new speculative execution side-channel vulnerability known as L1 Terminal Fault (L1TF) that affects Intel® Core® processors and Intel® Xeon® processors (CVE-2018-3620 and CVE-2018-3646).
  • Addresses an issue that causes high CPU usage that results in performance degradation on some systems with Family 15h and 16h AMD processors. This issue occurs after installing the June 2018 or July 2018 Windows updates from Microsoft and the AMD microcode updates that address Spectre Variant 2 (CVE-2017-5715– Branch Target Injection).
  • Addresses an issue that causes Internet Explorer to stop working for certain websites. 
  • Addresses an issue that causes Device Guard to block some ieframe.dll class IDs after installing the May 2018 Cumulative Update. 
  • Ensures that Internet Explorer and Microsoft Edge support the preload=”none” tag.
  • Addresses a vulnerability related to the Export-Modulemember() function when used with a wildcard (*) and a dot-sourcing script. Security updates to Windows Server.

KB4343892 for Windows 10

  • Protects against a new speculative execution side-channel vulnerability known as L1 Terminal Fault (L1TF) that affects Intel® Core® processors and Intel® Xeon® processors (CVE-2018-3620 and CVE-2018-3646).
  • Addresses additional issues with updated time zone information. 
  • Addresses an issue that prevents users from unlocking their computer if their password has expired. This issue occurs when fast user switching has been disabled, and the user has locked the computer. 
  • Updates support for the draft version of the Token Binding protocol v0.16. 
  • Addresses an issue in which decrypted data fails to clear from memory, in some cases, after a CAPI decryption operation was completed. 
  • Ensures that Internet Explorer and Microsoft Edge support the preload=”none” tag.
  • Addresses a vulnerability related to the Export-Modulemember() function when used with a wildcard (*) and a dot-sourcing script. 

KB4343897 for Windows 10 v1709

  • Protects against a new speculative execution side-channel vulnerability known as L1 Terminal Fault (L1TF) that affects Intel® Core® processors and Intel® Xeon® processors (CVE-2018-3620 and CVE-2018-3646).
  • Addresses an issue that causes high CPU usage that results in performance degradation on some systems with Family 15h and 16h AMD processors. This issue occurs after installing the June 2018 or July 2018 Windows updates from Microsoft and the AMD microcode updates that address Spectre Variant 2 (CVE-2017-5715– Branch Target Injection).
  • Updates support for the draft version of the Token Binding protocol v0.16. 
  • Addresses an issue that causes Device Guard to block some ieframe.dll class IDs after the May 2018 Cumulative Update is installed. 
  • Ensures that Internet Explorer and Microsoft Edge support the preload=”none” tag.
  • Addresses an issue that displays “AzureAD” as the default domain on the sign-in screen after installing the July 24, 2018 update on a Hybrid Azure AD-joined machine. As a result, users may fail to sign in in Hybrid Azure AD-joined scenarios when users provide only their username and password. 
  • Addresses an issue that adds additional spaces to content that’s copied from Internet Explorer to other apps.
  • Addresses a vulnerability related to the Export-Modulemember() function when used with a wildcard (*) and a dot-sourcing script. 

KB4343909 for Windows 10 v1803

  • Protects against a new speculative execution side-channel vulnerability known as L1 Terminal Fault (L1TF) that affects Intel® Core® processors and Intel® Xeon® processors (CVE-2018-3620 and CVE-2018-3646).
  • Addresses an issue that causes high CPU usage that results in performance degradation on some systems with Family 15h and 16h AMD processors. This issue occurs after installing the June 2018 or July 2018 Windows updates from Microsoft and the AMD microcode updates that address Spectre Variant 2 (CVE-2017-5715– Branch Target Injection).
  • Addresses an issue that prevents apps from receiving mesh updates after resuming. This issue occurs for apps that use Spatial Mapping mesh data and participate in the Sleep or Resume cycle. 
  • Ensures that Internet Explorer and Microsoft Edge support the preload=”none” tag. 
  • Addresses an issue that prevents some applications running on HoloLens, such as Remote Assistance, from authenticating after upgrading from Windows 10, version 1607, to Windows 10, version 1803. 
  • Addresses an issue that significantly reduced battery life after upgrading to Windows 10, version 1803. 
  • Addresses an issue that causes Device Guard to block some ieframe.dll class IDs after installing the May 2018 Cumulative Update. 
  • Addresses a vulnerability related to the Export-Modulemember() function when used with a wildcard (*) and a dot-sourcing script.
  • Addresses an issue that was introduced in the July 2018 .NET Framework update. Applications that rely on COM components were failing to load or run correctly because of “access denied,” “class not registered,” or “internal failure occurred for unknown reasons” errors.
  • Security updates to Windows Server.

KB4343898 Monthly rollup for Windows 8.1, Server 2012 R2

  • Protects against a new speculative execution side-channel vulnerability known as L1 Terminal Fault (L1TF) that affects Intel® Core® processors and Intel® Xeon® processors (CVE-2018-3620 and CVE-2018-3646).
  • Ensures that Internet Explorer and Microsoft Edge support the preload=”none” tag.
  • Addresses an issue that may prevent your device from starting up properly if you install KB3033055 (released September 2015) after installing any Monthly Rollup dated November 2017 or later.

KB4343900 Monthly rollup for Windows 7 SP1, Windows Server 2008 R2 SP1

  • Protects against a new speculative execution side-channel vulnerability known as L1 Terminal Fault (L1TF) that affects Intel® Core® processors and Intel® Xeon® processors (CVE-2018-3620 and CVE-2018-3646).
  • Addresses an issue that causes high CPU usage that results in performance degradation on some systems with Family 15h and 16h AMD processors. This issue occurs after installing the June 2018 or July 2018 Windows updates from Microsoft and the AMD microcode updates that address Spectre Variant 2 (CVE-2017-5715– Branch Target Injection).
  • Protects against an additional vulnerability involving side-channel speculative execution known as Lazy Floating Point (FP) State Restore (CVE-2018-3665) for 32-Bit (x86) versions of Windows.

KB4343205 Cumulative security update for Internet Explorer 11

This security update resolves several reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage in Internet Explorer. 

Server products and Office updates

  • KB4340731 Cumulative update for Exchange Server 2013 and 2016 – addresses two security vulnerabilities that include a memory corruption remote code execution issue and a tampering vulnerability that could be exploited to modify a user’s profile data.
  • KB4293801, 4293802, 4293803, 4293805, 4293807, 4293808 – these six critical updates for SQL Server 2016 and 2017 address remote code execution vulnerabilities.
  • KB4032198 for Office 2010, KB4032239 for Office 2013, KB4032233 for Office 2016, KB4032220 for SharePoint 2010 Office Web Apps – these updates address an out-of-bounds read/information disclosure vulnerability that could be exploited to view the contents of memory. (Updates for the Office Compatibility Pack, Office 2013 RT, Office 2013 Click-to-Run and Office 2016 for Mac were also released). All Office updates are rated as important.

Other software/services

  • Visual Studio 2017 v15.0 was released on August 14. It addresses an elevation of privilege vulnerability and is rated important.

Critical vulnerabilities

Some of the most important critical vulnerabilities addressed by these updates include the following:

  • Microsoft browser memory corruption vulnerabilities CVE-2018-8403 – These are remote code execution issues that could allow an attacker to execute arbitrary code.
  • Chakra scripting engine memory corruption vulnerabilities CVE-2018-8266 – These are remote code execution issues that exist in the way Chakra scripting handles objects in memory.
  • Scripting Engine memory corruption vulnerability CVE2018-8372 – This is a remote code execution vulnerability caused by the way the scripting engine handles objects in memory in Microsoft web browsers, that could be exploited to run arbitrary code in the context of the current user.
  • Microsoft SQL Server Remote Code Execution vulnerability CVE-2018-8273 – This is a buffer overflow issue that could be exploited to allow remote code execution on an affected system and enable an attacker to execute code in the context of the SQL Server Database Engine service account.
  • Microsoft Exchange memory corruption vulnerability CVE-2018-8302 – This is a remote code execution vulnerability whereby the Microsoft Exchange software fails to properly handle objects in memory, which could be exploited by an attacker to run arbitrary code in the context of the System user.
  • Microsoft Graphics Remote Code Execution vulnerability CVE-2018-8344 – This is a remote code execution vulnerability caused by the Windows font library improperly handling specially crafted embedded fonts, and could be exploited by an attacker to take control of the affected system.
  • LNK Remote Code Execution vulnerability CVE-2018-8345 – This is a remote code execution issue that could allow execution of arbitrary code if a .LNK file is processed, giving the attacker the same user rights as the local user.

Windows PDF Remote Code Execution vulnerability CVE-2018-8350 – This is an RCE vulnerability caused by the Windows PDF library’s improper handling of objects in memory that could enable an attacker to execute arbitrary code in the context of the current user.