Patch Tuesday Brings Fixes for Adobe, Spectre

Patch Tuesday Brings Fixes for Adobe, Spectre

Microsoft has fixed a half century of vulnerabilities for this month’s patch update round, including one publicly disclosed bug and one being exploited in the wild.

Adobe patched zero-day vulnerability CVE-2018-5002 in an out-of-band update last week so admins are urged to apply Flash Player update APSB18-19 as soon as possible to fix this and three other bugs.

RCE flaw CVE-2018-8267 is a Scripting Engine Memory Corruption Vulnerability disclosed without a patch on June 1. Affecting all version of Internet Explorer, it should also be prioritized.

Allan Liska, senior solutions architect at Recorded Future, claimed that Windows Domain Name System (DNS) bug CVE-2018-8225 could allow an attacker to take control of an affected machine and should also be put high on the to-do list.

He also flagged Edge vulnerability CVE-2018-8229.

“The vulnerability is a memory corruption vulnerability in Microsoft Edge’s Chakra scripting engine. An attacker could use a specially crafted JavaScript on a website that the attacker controls or has compromised to exploit this vulnerability and execute arbitrary code on a victim’s machine,” Liska explained.

“Because JavaScript is so pervasive and needed for many websites to even operate disabling the Chakra Scripting Engine is not an option, which means the vast majority of Microsoft Edge users are vulnerable to this attack. It is important to patch Microsoft Edge as soon as possible to prevent this attack.”

Ivanti director of product management, Chris Goettl, pointed to new Meltdown and Spectre mitigations against Spectre Variant 4 (CVE-2018-3639) vulnerabilities.

“This was the series of 8 additional Spectre vulnerabilities discovered a few weeks ago that allow for Speculative Store Bypass,” he added. “Similar to the last round of Meltdown and Spectre fixes the guidance from Microsoft is to apply the OS updates, apply latest microcodefirmware updates, then turn on mitigation for Variant 4. They do warn about the possibility of performance impact once again.”

Source: Information Security Magazine