It seems as if this year just began, but here we are – it’s already the second Tuesday in May and we’re almost halfway through the second quarter. Spring has sprung, at least here in Texas, and summer is almost upon us.  School children (and their teachers) are looking forward to a few months of freedom, and many are gearing up for proms and graduation ceremonies. Moms will soon have their day.

And in the IT world, many are happily planning a brief escape to the beach, the mountains, or some other user-free haven where we can unplug for a while from the daily responsibilities of our jobs and recharge our own internal batteries.

But first, we have to make sure we leave our systems and networks in a secure state, and you know what that means: getting all the updates up-to-date. And that starts with this month’s Microsoft Patch Tuesday updates. The good news is that we’re looking at only an average number of vulnerabilities this time. However, several of those are critical, so getting the patches applied in a timely manner should be a priority.

In addition to the regular fixes, we also have a major Windows 10 update to contend with. It’s called the April 2018 update, and it was officially released and made available for download and manual installation on the last day of that month, but it didn’t start rolling out through Windows automatic updates until today (Patch Tuesday).  It includes a number of new features, as well as a few bugs, so we’ll address it in a separate article of its own within the next week.

For now, let’s take a closer look at some of the regular Patch Tuesday security update summaries.

Security Advisories

The following security advisory was released on Patch Tuesday this month:

Security Advisory ADV180008, Adobe Flash Security Update, affects Windows 8.1, 8.1. RT, and 10, and Server 2012/2012 R2 and 2016. Adobe rated this update as a priority 2. It addresses a single critical vulnerability that could be exploited to accomplish remote code execution (a type confusion issue). You can find more information about this vulnerability and the fix on Adobe’s site at https://helpx.adobe.com/security/products/flash-player/apsb18-16.html

Products Updated on Patch Tuesday

Here is a summary of the number of vulnerabilities that were patched in each of the operating systems and web browsers in this month’s batch of updates:

  • Windows 7 and Windows 8.1: 11 vulnerabilities (2 of which are critical)
  • Windows 10 v1607:   18 vulnerabilities (3 of which are critical)
  • Windows 10 v1703: 19 vulnerabilities (3 of which are critical)
  • Windows 10 v1709: 20 vulnerabilities (3 of which are critical)
  • Windows 10 v1803: 16 vulnerabilities (3 of which are critical)
  • Windows Server 2008 R2, Windows Server 2012 and 2012 R2: 11 vulnerabilities (2 of which are critical)
  • Windows Server 2016: 18 vulnerabilities (3 of which are critical)
  • Internet Explorer 11: 9 vulnerabilities (6 of which are critical)
  • Microsoft Edge: 18 vulnerabilities (13 critical)

In addition to the operating system and web browser updates, this months slate of fixes includes updates for Microsoft Office Services and Web Apps, ChakraCore, .NET framework, Exchange Server, and Windows Host Compute Service Shim.

Operating system and web browser cumulative security updates

  • KB4103716 — Cumulative Update for Windows 10 Version 1507.
  • KB4103723 – Cumulative Update for Windows 10 version 1607 and Windows Server 2016 includes security updates to Microsoft Edge, Internet Explorer, Microsoft scripting engine, Windows app platform and frameworks, Device Guard, Windows kernel, Microsoft Graphics Component, Windows Hyper-V, HTML help, and Windows Server.
  • KB4103731 – Cumulative Update for Windows 10 version 1703.
  • KB4103727 – Cumulative Update for Windows 10 version 1709 includes security updates to Microsoft Edge, Internet Explorer, Microsoft scripting engine, Windows app platform and frameworks, Device Guard, Windows kernel, Microsoft Graphics Component, Windows Hyper-V, HTML help, and Windows Server, along with security fixes for Windows storage and filesystems, Windows virtualization and kernel.
  • KB4103721 — Cumulative Update for Windows 10 Version 1803 includes security updates to Microsoft Edge, Internet Explorer, Microsoft scripting engine, Windows app platform and frameworks, Device Guard, Windows kernel, Microsoft Graphics Component, Windows Hyper-V, HTML help, and Windows Server, along with security fixes for Windows storage and file systems, Windows virtualization and kernel.

Security updates for Windows XP Embedded and Windows Embedded 8 Standard were also released.

Critical vulnerabilities

Some of the most important critical vulnerabilities addressed by these updates include the following:

  • Chakra Scripting Engine Memory Corruption Vulnerability. A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.
  • Scripting Engine Memory Corruption Vulnerabilities. A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.
  • Microsoft Browser Memory Corruption Vulnerability. A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.
  • Hyper-V vSMB Remote Code Execution Vulnerability. A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate vSMB packet data. An attacker who successfully exploited these vulnerabilities could execute arbitrary code on a target operating system. To exploit these vulnerabilities, an attacker running inside a virtual machine could run a specially crafted application that could cause the Hyper-V host operating system to execute arbitrary code.
  • Microsoft Exchange Memory Corruption Vulnerability. A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. An attacker could then install programs; view, change, or delete data; or create new accounts. Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Exchange server.

For the full list and/or to download the Excel spreadsheet listing all of the vulnerabilities, please see the Security Update Guide at https://portal.msrc.microsoft.com/en-us/security-guidance.