UPDATED 23:47 EST / APRIL 10 2018

INFRA

Nearly 70 vulnerabilities addressed in Microsoft’s latest ‘Patch Tuesday’ release

Microsoft Corp. today addressed nearly 70 vulnerabilities in its monthly “Patch Tuesday” release, the most notable one for a so-called privilege vulnerability.

The vulnerability, known as CVE-2018-1038, affects Windows 7 for x64-based systems and Windows Server 2008 R2 for x64-based systems. In addition, keeping on trend with the February and March releases, April’s Patch Tuesday includes operating-system-level mitigations for CVE-2017-5715, the Spectre Variant 2, addressing the issue on some processors running Windows 10, but not all.

Microsoft takes its lead its lead from Intel Corp. when it comes to patching, with Intel releasing microcode updates that Microsoft subsequently either releases as standalone patches or as part of its Patch Tuesday release. Intel announced April 3 that it would not be offering Spectre V2 microcode patches for older processors, hence Microsoft is not as well.

Chris Goettl, director of product management at Ivanti Inc., told SiliconANGLE that along with the patch for CVE-2018-1038, enterprises should also look at installing one for Microsoft’s Malware Protection Engine that resolved a remote code execution vulnerability as a priority, if not already installed.

“The fix for this is simply to update to the latest definitions,” Goettl explained. “For the majority of environments using Microsoft’s Malware Protection Engine, this would have happened automatically.”

Of the other patches, Goettl said that there are multiple critical vulnerabilities this month in the Windows Operating System, Internet Explorer and Edge browsers and on Office. “There are a few critical kernel vulnerabilities resolved, several Microsoft graphics and TrueType font driver vulnerabilities resolved and a host of critical browser vulnerabilities resolved,” he added.

Greg Wiseman, senior security researcher at Rapid7 Inc., said that of the vulnerabilities addressed this month, the continuing issues around Intel Corp.’s Spectre and Meltdown chip vulnerabilities illustrates the complexity involved with trying to work around hardware vulnerabilities via software. In particular, he said, Microsoft’s KB4093112 mitigates CVE-2017-5715 for Windows 10 version 1709 running on AMD processors.

“By default, applying this update will only protect against some attack scenarios,” Wiseman said. “To prevent a malicious application run in user mode from being able to disclose the contents of kernel memory (user-to-kernel), the Indirect Branch Prediction Barrier must be enabled by adding certain registry keys and restarting. This may negatively impact system performance, which is why it is not automatically enabled. Process-to-process and virtualized guest-to-host mitigations are enabled by default.”

Of the more obscure patches, Wiseman points to CVE-2018-8117, a fix for Microsoft’s Wireless Keyboard 850. The vulnerability is a “security feature bypass vulnerability, where an attacker able to extract the encryption key from a keyboard could then wirelessly send and/or read keystrokes, potentially reading sensitive data such as passwords or issuing malicious commands to a connected system, ” Wiseman explained.

Jimmy Graham, Director of Product Management at Qualys Inc., noted that although this Patch Tuesday is smaller than last month’s, there are more critical updates this time. Graham added that it’s important that organizations do not overlook the Adobe patches as well, despite Microsoft and Adobe saying that there are no active attacks against the vulnerabilities.

Photo: US Air Force

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU