Browser issues lead 76 vulnerabilities in Microsoft’s March ‘Patch Tuesday’ release
Microsoft Corp.’s monthly “Patch Tuesday” today addressed 76 separate vulnerabilities, including the serious Microsoft Remote Desktop vulnerability revealed by Preempt Security Inc. earlier today.
Browser-related vulnerabilities lead the list, with patches being made available for all supported versions of Windows, Internet Explorer, Office, Sharepoint and Exchange server.
Greg Wiseman, senior security researcher at Rapid7 Inc. told SiliconANGLE that all of the patches that addressed critical vulnerabilities are browser-related.
“This is not surprising considering web browsers are a major attack surface on modern Windows workstations and are an obvious vector for malicious code,” Wiseman said. “Even so, with the sheer volume of vulnerabilities patched this month there’s still plenty to worry about as far as other Windows and Office products go. Server administrators in particular should note the many privilege escalation vulnerabilities being fixed in Sharepoint Server. Exchange Server is also getting fixes for privilege escalation and information disclosure bugs.”
Wiseman said that among the other patches, network administrators should pay attention to CVE-2018-0883 (Windows Shell) and CVE-2018-0903 (Microsoft Access), both RCE vulnerabilities that simply require a user to open a maliciously crafted file.
Jimmy Graham, director of product management at Qualys Inc., said that of the remaining important vulnerabilities, the patch addressing CVE-2018-0886, the CredSSP vulnerability in Remote Desktop should be applied as soon as possible.
With Adobe Systems Inc. releasing patches at the same time Microsoft does each month, Graham said particular importance should be given to applying an update for Flash that remediates two critical vulnerabilities.
Chris Goettl, director of product management at Ivanti Inc., drew attention to a number of other updates that don’t have direct patches.
“There are few ASP.NET Core, Chakra Core and PowerShell Core updates,” Goettl said. “These do not have a patch package to update, but new binaries available that need to be integrated into your DevOps process this month to include in your next push to production.”
Also buried in the release was additional update support for the Intel CPU Meltdown vulnerabilities.
“Server 2008 and 2012 and Windows 7 x86 Monthly Rollup and Security Only bundle now include the mitigation features,” Goettl said. “This means that these systems now require the AV registry keys as a dependency to be able to apply the March updates.”
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.