Patch Tuesday again already?  Yes, February was a short month so it seems as if update day got here a tad more quickly than usual. Microsoft released a full slate of fixes for a number of vulnerabilities in Windows and the Internet Explorer and Edge web browsers. Windows 10 version 1607 and Server 2016 came in with the largest number of security issues patched; the updates for each of them fixes 29 vulnerabilities.

There is some good news, however: none of the vulnerabilities in Windows client and server operating systems are rated as critical (all of them are classified as important). There are critical vulnerabilities that are patched in the web browsers, though – two in IE and 12 in Edge, along with four and five important vulnerabilities, respectively.  

The critical browser vulnerabilities are scripting engine and Chakra scripting memory corruption issues, along with a pair of information disclosure vulnerabilities. There are also critical vulnerabilities in Adobe Flash Player for Windows that are addressed in these updates.

Let’s take a closer look at some of the security advisories, update summaries, and some of the vulnerabilities that they are designed to fix.

Security Advisories

The following security advisory was released on Patch Tuesday this month:

Security Advisory ADV180006, Adobe Flash Security Update, affects Windows 8.1, 8.1 RT, 10 and Server 2012, 2012 R2, and 2016. Adobe rated this update as a priority 2. It addresses two critical vulnerabilities that could be exploited to accomplish remote code execution, one of which is a use-after-free issue and the other a type confusion vulnerability.

Products Updated on Patch Tuesday

As noted above, no matter which version of Windows you have (client or server), none of this month’s updates for the OS is rated as critical.  The bad news is that if you’re using the Edge browser (or even if you’re not, but have it installed), you have twelve critical vulnerabilities to be concerned about.  Here is the “quick and dirty” rundown:

  • Windows 7: 21 vulnerabilities
  • Windows 8.1: 20 vulnerabilities
  • Windows 10 v1607:  29 vulnerabilities
  • Windows 10 v1703: 28 vulnerabilities
  • Windows 10 v1709: 24 vulnerabilities
  • Windows Server 2008: 21 vulnerabilities
  • Windows Server 2008 R2: 22 vulnerabilities
  • Windows Server 2012 and 2012 R2: 21 vulnerabilities
  • Windows Server 2016: 29 vulnerabilities
  • Internet Explorer 11: 7 vulnerabilities (2 critical)
  • Microsoft Edge: 16 vulnerabilities (12 critical)

Cumulative Updates/Rollups

  • KB4088875 – Windows 7 SP1 and Windows Server 2008 R2 Monthly Rollup. This security update includes improvements and fixes that were a part of update KB4075211. It includes Security updates to Internet Explorer, the Microsoft Graphics component, Windows Kernel, Windows Shell, Windows MSXML, Windows Installer, and Windows Hyper-V. Importantly, it provides cumulative Spectre and Meltdown protections for 32-Bit (x86) and 64-Bit (x64) versions of Windows except the KB4078130 update that was offered to disable mitigation against Spectre Variant 2.
  • KB4088876 – Windows 8.1 and Windows Server 2012 R2 Monthly Rollup. This security update includes improvements and fixes that were a part of update KB4075212. It addresses the same components mentioned above, and also provides the same Spectre and Meltdown protections with the same exception.
  • KB4088879 – Windows 8.1 and Windows Server 2012 R2 Monthly Rollup. This update provides fixes for the same components mentioned above, and also provides the same Spectre and Meltdown protections with the same exception. It also addresses a logon issue with Server 2012 R2 servers when  using a custom credential provider on a console or RDP.
  • KB4089187 – Cumulative security update for Internet Explorer: March 13, 2018. his security update resolves several reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage in Internet Explorer. These fixes included in this Security Update for Internet Explorer 4089187 are also included in the March 2018 Security Monthly Quality Rollup.
  • KB4088785 – Security update for Adobe Flash Player: March 13, 2018. This security update resolves the vulnerabilities described in Security Advisory ADV180006 above, in Adobe Flash Player that is installed on any supported edition of Windows Server Version 1709, Windows Server 2016, Windows 10 Version 1709 (Fall Creators Update), Windows 10 Version 1703 (Creators Update), Windows 10 Version 1607, Windows 10 Version 1511, Windows 10 RTM, Windows Server 2012 R2, Windows 8.1, or Windows RT 8.1. For more information, see Adobe’s Security Bulletin APSB18-05, also released on March 13.

Security updates for Windows XP Embedded and Windows Embedded 8 Standard were also released.

Critical vulnerabilities

Some of the critical vulnerabilities addressed by these updates include the following:

  • CVE-2018-0872, -0874 Chakra Scripting Engine Memory Corruption Vulnerability. This is a remote code execution vulnerability in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. It is rated critical. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.
  • CVE-2018-0876 – Scripting Engine Memory Corruption Vulnerability. This is a remote code execution vulnerability in the way that the scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • CVE-2018-0889 – Scripting Engine Memory Corruption Vulnerability. This is another remote code execution vulnerability in the way that the scripting engine handles objects in memory in Internet Explorer that could lead to remote code execution.
  • CVE-2018-0893 – Scripting Engine Memory Corruption Vulnerability. This is another remote code execution vulnerability in the way that the scripting engine handles objects in memory in Microsoft Edge that could lead to remote code execution.  
  • CVE-2018-0925 – Scripting Engine Memory Corruption Vulnerability. This is another remote code execution vulnerability in the way that the ChakraCore scripting engine handles objects in memory that could lead to remote code execution.
  • CVE-2018-0930 | Chakra Scripting Engine Memory Corruption Vulnerability. This is another remote code execution vulnerability in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge that could lead to remote code execution.
  • CVE-2018-0931 | Chakra Scripting Engine Memory Corruption Vulnerability. This is another remote code execution vulnerability in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge that could lead to remote code execution.
  • CVE-2018-0932 | Microsoft Browser Information Disclosure Vulnerability.  This is an information disclosure vulnerability that exists when affected Microsoft browsers improperly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system.
  • CVE-2018-0933 | Chakra Scripting Engine Memory Corruption Vulnerability. This is another remote code execution vulnerability in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge that could lead to remote code execution.
  • CVE-2018-0934 | Chakra Scripting Engine Memory Corruption Vulnerability. This is another remote code execution vulnerability in the way that the Chakra scripting engine handles objects in memory in Microsoft Internet Explorer that could lead to remote code execution.
  • CVE-2018-0936 | Chakra Scripting Engine Memory Corruption Vulnerability. This is another remote code execution vulnerability in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge that could lead to remote code execution.
  • CVE-2018-0937 | Chakra Scripting Engine Memory Corruption Vulnerability. This is another remote code execution vulnerability in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge that could lead to remote code execution.
  • CVE-2018-0939 | Scripting Engine Information Disclosure Vulnerability. This is an information disclosure vulnerability that exists when the scripting engine does not properly handle objects in memory in Microsoft Edge. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

Join us next month for another edition of Microsoft Patch Tuesday!