UPDATED 22:35 EDT / MARCH 13 2018

INFRA

Browser issues lead 76 vulnerabilities in Microsoft’s March ‘Patch Tuesday’ release

Microsoft Corp.’s monthly “Patch Tuesday” today addressed 76 separate vulnerabilities, including the serious Microsoft Remote Desktop vulnerability revealed by Preempt Security Inc. earlier today.

Browser-related vulnerabilities lead the list, with patches being made available for all supported versions of Windows, Internet Explorer, Office, Sharepoint and Exchange server.

Greg Wiseman, senior security researcher at Rapid7 Inc. told SiliconANGLE that all of the patches that addressed critical vulnerabilities are browser-related.

“This is not surprising considering web browsers are a major attack surface on modern Windows workstations and are an obvious vector for malicious code,” Wiseman said. “Even so, with the sheer volume of vulnerabilities patched this month there’s still plenty to worry about as far as other Windows and Office products go. Server administrators in particular should note the many privilege escalation vulnerabilities being fixed in Sharepoint Server. Exchange Server is also getting fixes for privilege escalation and information disclosure bugs.”

Wiseman said that among the other patches, network administrators should pay attention to CVE-2018-0883 (Windows Shell) and CVE-2018-0903 (Microsoft Access), both RCE vulnerabilities that simply require a user to open a maliciously crafted file.

Jimmy Graham, director of product management at Qualys Inc., said that of the remaining important vulnerabilities, the patch addressing CVE-2018-0886, the CredSSP vulnerability in Remote Desktop should be applied as soon as possible.

With Adobe Systems Inc. releasing patches at the same time Microsoft does each month, Graham said particular importance should be given to applying an update for Flash that remediates two critical vulnerabilities.

Chris Goettl, director of product management at Ivanti Inc., drew attention to a number of other updates that don’t have direct patches.

“There are few ASP.NET Core, Chakra Core and PowerShell Core updates,” Goettl said. “These do not have a patch package to update, but new binaries available that need to be integrated into your DevOps process this month to include in your next push to production.”

Also buried in the release was additional update support for the Intel CPU Meltdown vulnerabilities.

“Server 2008 and 2012 and Windows 7 x86 Monthly Rollup and Security Only bundle now include the mitigation features,” Goettl said. “This means that these systems now require the AV registry keys as a dependency to be able to apply the March updates.”

Photo: Svetlana Miljkovic/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU