Browser issues lead 76 vulnerabilities in Microsoft’s March ‘Patch Tuesday’ release
Microsoft Corp.’s monthly “Patch Tuesday” today addressed 76 separate vulnerabilities, including the serious Microsoft Remote Desktop vulnerability revealed by Preempt Security Inc. earlier today.
Browser-related vulnerabilities lead the list, with patches being made available for all supported versions of Windows, Internet Explorer, Office, Sharepoint and Exchange server.
Greg Wiseman, senior security researcher at Rapid7 Inc. told SiliconANGLE that all of the patches that addressed critical vulnerabilities are browser-related.
“This is not surprising considering web browsers are a major attack surface on modern Windows workstations and are an obvious vector for malicious code,” Wiseman said. “Even so, with the sheer volume of vulnerabilities patched this month there’s still plenty to worry about as far as other Windows and Office products go. Server administrators in particular should note the many privilege escalation vulnerabilities being fixed in Sharepoint Server. Exchange Server is also getting fixes for privilege escalation and information disclosure bugs.”
Wiseman said that among the other patches, network administrators should pay attention to CVE-2018-0883 (Windows Shell) and CVE-2018-0903 (Microsoft Access), both RCE vulnerabilities that simply require a user to open a maliciously crafted file.
Jimmy Graham, director of product management at Qualys Inc., said that of the remaining important vulnerabilities, the patch addressing CVE-2018-0886, the CredSSP vulnerability in Remote Desktop should be applied as soon as possible.
With Adobe Systems Inc. releasing patches at the same time Microsoft does each month, Graham said particular importance should be given to applying an update for Flash that remediates two critical vulnerabilities.
Chris Goettl, director of product management at Ivanti Inc., drew attention to a number of other updates that don’t have direct patches.
“There are few ASP.NET Core, Chakra Core and PowerShell Core updates,” Goettl said. “These do not have a patch package to update, but new binaries available that need to be integrated into your DevOps process this month to include in your next push to production.”
Also buried in the release was additional update support for the Intel CPU Meltdown vulnerabilities.
“Server 2008 and 2012 and Windows 7 x86 Monthly Rollup and Security Only bundle now include the mitigation features,” Goettl said. “This means that these systems now require the AV registry keys as a dependency to be able to apply the March updates.”
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.