When you’re hot, you’re hot. And here in Texas and throughout the southern U.S., temperatures have been flirting with the 100° F mark for the past weeks. Summer is here, with a vengeance. The good news is that this month’s slate of Microsoft fixes is relatively light, at least in comparison with last month.

None of the Microsoft operating systems have vulnerabilities numbering the double digits. The largest number of fixes belong to the Edge web browser, and a large percentage of those are rated critical. Of course, web browsers are always a favorite target of attackers, and one of the most difficult components to secure since they have two conflicting jobs: provide a rich platform for an enhanced browsing experience while at the same time keeping users safe from malicious code and other exploits.

Of course, Microsoft also released a plethora of non-security updates, too, as they do every Patch Tuesday.  These include compatibility updates for Windows 7 and 8.1 and a dynamic update for Windows 10 v1709 to make the upgrade experience easier, as well as an update to the servicing stack in the same version of Windows 10.

As always, the Malicious Software Removal Tool (MSRT) is updated to include the latest malware definitions.

Important Notes

There are a few known issues with the KB4338825 update. Some non-English platforms may display a string in English instead of the localized language when reading scheduled jobs you’ve created with Device Guard enabled. Microsoft is still working on a resolution at the time of this writing.

There is also a problem with Windows 7 SP1 when you apply update KB4338818 due to an issue with third party software, that can cause the network interface controller to stop working. Microsoft has provided a workaround for this that involves scanning for hardware changes to automatically rediscover the NIC and install drivers, or updating the network device drivers through the right click menu.

Security Advisories

The following security advisories were released on Patch Tuesday this month:

  • ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities: This advisory is in regard to “speculative execution side-channel attacks,” more commonly known as Spectre, that affect many modern processors and operating systems including Intel, AMD, and ARM. An attacker who successfully exploited these vulnerabilities may be able to read privileged data across trust boundaries. In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another.
  • ADV180012 | Microsoft Guidance for Speculative Store Bypass: On January 3, 2018, Microsoft released an advisory and security updates related to a newly-discovered class of hardware vulnerabilities known as Spectre and Meltdown, involving speculative execution side channels that affect AMD, ARM, and Intel CPUs to varying degrees. On May 21st, a new subclass of speculative execution side channel vulnerabilities known as Speculative Store Bypass (SSB) was announced and assigned CVE-2018-3639. An attacker who has successfully exploited this vulnerability may be able to read privileged data across trust boundaries.
  • ADV180015 | Microsoft Office Defense in Depth Update: Microsoft has released an update for Microsoft Office that provides enhanced security as a defense in depth measure. This update improves the memory handling of Office applications that render Office Art. It affects Excel Services, Office 2010, 2013 and 2013 RT, Word automation services, and Office Web Apps Server 2010 and 2013.
  • ADV180016 | Microsoft Guidance for Lazy FP State Restore: On June 13, 2018, an additional vulnerability involving side channel speculative execution, known as Lazy FP State Restore, was announced. An attacker, via a local process, could cause information stored in FP (Floating Point), MMX, and SSE register state to be disclosed across security boundaries on Intel Core family CPUs through speculative execution. An attacker must be able to execute code locally on a system in order to exploit this vulnerability,

Products updated on Patch Tuesday

The full list of Microsoft products that receive fixes in the July updates includes Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office, Microsoft Office Services and Web Apps, ChakraCore, Adobe Flash Player, .NET Framework, ASP.NET, Microsoft Research JavaScript Cryptography Library, Skype for Business and Microsoft Lync, Visual Studio, Microsoft Wireless Display Adapter V2 Software, PowerShell Editor Services, PowerShell Extension for Visual Studio Code, and Web Customizations for Active Directory Federation Services.

Vulnerability counts for the client and server operating systems are as follows:

  • Windows 7: 7 vulnerabilities (none critical)
  • Windows 8.1: 9 vulnerabilities (none critical)
  • Windows 10 version 1607, 1703, and 1709: 8 vulnerabilities (none critical)
  • Windows 10 version 1803: 7 vulnerabilities (none critical)
  • Windows Server 2008 R2: 8 vulnerabilities (none critical)
  • Windows Server 2012 and 2012 R2: 9 vulnerabilities (none critical)
  • Windows Server 2016: 8 vulnerabilities (none critical)

All vulnerabilities in the operating systems are rated “important.”

The situation for the web browsers is more serious, with Edge sporting an even dozen critical vulnerabilities and IE11 containing half that number:

  • Internet Explorer 11: 6 vulnerabilities (4 critical)
  • Microsoft Edge: 19 vulnerabilities (12 critical)

Operating system and web browser security updates

  • KB4338823 — Windows 7 SP1 Security-only update
  • KB4338818 —  Windows 7 SP1 Monthly rollup
  • KB4338815 — Windows 8.1 Monthly Rollup
  • KB4338814 — Windows 10 version 1607
  • KB4338826 — Windows 10 version 1703
  • KB4338825 — Windows 10 version 1709
  • KB4338819 – Windows 10 version 1803
  • KB4291391 — Security Update for Windows Server 2008 and Windows XP Embedded denial of service vulnerability
  • KB4293756 — Security Update for Windows Server 2008 denial of service vulnerability
  • KB4295656 — Security Update for Windows Server 2008 elevation of privilege vulnerability
  • KB4338820 — Security Only Quality Update for Windows Embedded 8 Standard and Windows Server 2012
  • KB4338830 — Security Monthly Quality Rollup for Windows Embedded 8 Standard and Windows Server 2012
  • KB4339503 — Security Update for Windows Server 2008 elevation of privilege vulnerability
  • KB4339854 — Security Update for WES09 and POSReady 2009 4.7.2 for Windows 8.1 and Windows Server 2012 R2
  • KB4338832 — Adobe Flash Player update
  • KB4339093 — Cumulative Security Update for Internet Explorer
  • Multiple Security Updates for WES09 and POSReady 2009
  • Multiple Security Updates for .NET Framework

Critical vulnerabilities

Some of the most important critical vulnerabilities addressed by these updates include the following:

  • CVE-2018-8242 | Scripting Engine Memory Corruption Vulnerability: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.
  • CVE-2018-8262 | Microsoft Edge Memory Corruption Vulnerability: A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system.
  • CVE-2018-8274 | Microsoft Edge Memory Corruption Vulnerability: Another remote code execution vulnerability.
  • CVE-2018-8275 | Microsoft Edge Memory Corruption Vulnerability: Another remote code execution vulnerability.
  • CVE-2018-8279 | Microsoft Edge Memory Corruption Vulnerability: Another remote code execution vulnerability.
  • CVE-2018-8280 | Chakra Scripting Engine Memory Corruption Vulnerability: A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge.

Note that this list does not include all of the critical vulnerabilities that are addressed by the June patches.