Scores More Flaws to Fix This Patch Tuesday

Scores More Flaws to Fix This Patch Tuesday

Microsoft has patched over half a century of vulnerabilities yet again this month, with the majority of critical bugs affecting the browser.

Patch Tuesday saw the Redmond giant issue a “moderate” update load according to most experts, with 17 critical flaws to fix.

These include vulnerabilities in the Chakra Scripting Engine, Edge browser, Scripting Engine and PowerShell Editor Services.

Recorded Future senior solutions architect, Allan Liska, said the latter was particularly dangerous “because PowerShell Editor Services are primarily used by network administrators, so an attacker who exploits this vulnerability would most likely do so with administrative access.”

Qualys director of product management, Jimmy Graham, urged admins to focus on the 16 CVEs covering browsers for all workstation-type devices.

Although there are no zero-days to fix this month, three vulnerabilities have been publicly disclosed: “two privilege escalation vulnerabilities in Windows and a spoofing vulnerability in Edge whereby a user could be tricked into believing a malicious website is legitimate,” according to Rapid7 senior security researcher, Greg Wiseman.

Not to be outdone, Adobe released four patches for Flash, Adobe Reader, Experience Manager, and Adobe Connect which fix over 100 CVEs.

The Adobe Flash patch addresses just two flaws, according to Dustin Childs of Trend Micro’s Zero Day Initiative.

“The first is a type confusion bug submitted through the ZDI program that could lead to remote code execution. The other bug is a less severe information disclosure vulnerability due to an out-of-bounds read,” he explained. “The patch for Experience Manager fixes three information disclosure bugs. The Connect patch also fixes three bugs, with two being authentication bypasses and one being an insecure library load.”

However, the update for Acrobat fixes a whopping 107 CVEs including out-of-bounds reads, out-of-bounds writes, heap overflows, type confusions, and use-after-frees, Childs added. There are over 50 critical CVEs to fix in Acrobat and Reader.

Source: Information Security Magazine