Jump to content

Microsoft April Patch Tuesday – Update your system now to avoid being hacked by visiting a site


Recommended Posts

Adobe's Flash also up the spout




Microsoft has released the April edition of its monthly security update, this time addressing a total of 63 CVE-listed vulnerabilities.


This month's update includes critical fixes for the usual suspects: Windows, Edge, Internet Explorer, and Office, as well as one flaw Redmond previously fixed with an unscheduled update. You should install these fixes as soon as you can, if your system hasn't already.


Just one of this month's patches is for a zero-day flaw; CVE-2018-1034 is an elevation of privilege vulnerability in SharePoint that, when exploited via a poisoned web request, allows an attacker to run script with the security clearance of the current user. Microsoft says the most likely use for the bug would be cross-site scripting attacks.


Among the more serious bugs are a set of five remote code execution vulnerabilities in the graphics component of Windows and Windows Server (CVE-2018-1010, CVE-2018-1012, CVE-2018-1013, CVE-2018-1015, CVE-2018-1016). Each of those vulnerabilities would allow an attacker to pwn PCs via a specially-crafted font, in some cases by simply putting the font on a web page viewed by the target.


"Those of us who lived through Duqu always shudder a bit when we see font-related bugs, and these have me downright shivering," writes Dustin Childs of the Zero Day Initiative.


"Since there are many ways to view fonts – web browsing, documents, attachments – it’s a broad attack surface and attractive to attackers."

Script, script, and script again

The usual crop of scripting engine bugs were patched for Edge and Internet Explorer. The two browsers combined for 10 memory corruption and remote code execution scripting vulnerabilities, while Internet Explorer also saw fixes for four additional (CVE-2018-0870, CVE-2018-0991, CVE-2018-1018, CVE-2018-1020) memory corruption remote code vulnerabilities of its own.


Office, meanwhile, is getting fixes for a number of nasty bugs, including remote code execution flaws in VBScript (CVE-2018-1004), Excel (CVE-2018-0920,) and an information disclosure bug in apps that handle .RTF files (CVE-2018-0950).


Server admins will want to take note of the fix for CVE-2018-0957, an information disclosure flaw that allows nefarious VMs to view memory contents of the host system outside of the hypervisor.


Also listed in the monthly update was the patch for CVE-2018-0986, a remote code flaw in Windows Defender that was traced back to an open-source archiving tool Microsoft forked years ago.

Childs notes that because Malware Protection Engine isn't part of the monthly patch schedule, this shouldn't be considered an 'out of band' fix. He is technically correct (the best kind of correct).

Microsoft even snuck in a hardware fix to the April updates. The patch load includes a fix for the Wireless 850 Keyboard to address a particularly nasty bug CVE-2018-8117 that lets an attacker bypass security checks with an old AES and record keystrokes or hijack and inject packets sent from the wireless keyboard to the PC.

And now you're done with Windows...

Once you've installed the Windows updates, you'll want to make sure you get this month's fixes from Adobe.


They include an update to Flash Player that patches three remote code execution vulnerabilties and three information disclosure flaws. Microsoft has issued its own patch for the Internet Explorer version of Flash Player.


ColdFusion users will want to download an update to address five flaws; one remote code execution vulenrability, three information disclosure bugs, and a local privilege escalation flaw.


Adobe also kicked out fixes for three cross-site scripting bugs in Experience Manager, memory corruption and privilege elevation flaws in InDesign, information disclosure flaws in Digital Editions, and a Same Origin Method Execution flaw in the PhoneGap plugin.



Link to comment
Share on other sites

  • Replies 2
  • Views 690
  • Created
  • Last Reply

Microsoft April Patch Tuesday – Update your system now to avoid being hacked by visiting a site

Microsoft has released April Patch Tuesday security updates that address 66 vulnerabilities, five of them could be exploited by an attacker to compromise a PC by just tricking the victims into visiting a website or opening a specifically crafted file.

Hackers can compromise your computer just visiting a malicious website or clicking a malicious link.

Microsoft has released April Patch Tuesday that addresses 66 vulnerabilities, 24 of which are rated critical and five of them could be exploited by an attacker to compromise a PC by just tricking the victims into visiting a website or opening a specifically crafted file.

Microsoft April Patch Tuesday includes the fix for five critical remote code execution vulnerabilities in Windows Graphics Component (CVE-2018-1010-1012-1013-1015-1016) that are related to improper handling of embedded fonts by the Font Library.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website,” reads the advisory for the CVE-2018-1013.

“An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine.”

The flaws were discovered by Hossein Lotfi, a security researcher at Flexera Software. and affect all versions of Windows OS to date.

Microsoft also addressed a denial of service vulnerability in Windows Microsoft Graphics that could be exploited by an attacker to cause a targeted system to stop responding. This vulnerability tied the way Windows handles objects in memory.

Microsoft April Patch Tuesday also addressed a critical RCE vulnerability, tracked as CVE-2018-1004, that resides in the Windows VBScript Engine and affects all versions of Windows.

“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” read the security advisory published by Microsoft.

April Patch Tuesday

Microsoft security updates also address a total of six vulnerabilities in Adobe Flash Player, three of which were rated critical.

Users need to apply security updates as soon as possible to protect their systems.



Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...