A total of 32 issues allow for Remote Code Execution

May 9, 2018 05:23 GMT  ·  By

Microsoft has released Patch Tuesday fixes to resolve a total of 67 vulnerabilities in its products, including Windows, Office, and browsers. The rollout also includes one Flash Player update.

Out of the patched flaws, no less than 21 have been assigned a critical severity rating, while 32 of them are allowing for Remote Code Execution.

First and foremost, there are two zero-day vulnerabilities that are being addressed this month, and IT admins are recommended to prioritize deployment of their patches.

Zero-days fixed

CVE-2018-8174 describes a security issue in the way the scripting engine handles memory objects, and Internet Explorer as well as apps that integrate its engine are vulnerable to attacks. Exploiting this bug could grant the attacker full control of the system.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website,” Microsoft explains, adding that attacks have already been detected in the wild.

“An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”

A second zero-day flaw detailed in CVE-2018-8120 is being fixed this month. The vulnerability exists in Windows 7 SP1 and Windows Server 2008 SP1 and SP2, and Microsoft says it has already discovered several exploits. A successful attack provides a hacker with rights to run arbitrary code in kernel mode and Microsoft explains that the exploit involves malicious actors first logging on to the system.

Overall, browsers are getting a total of 18 patches this month, and Windows 10 devices are vulnerable as well. Users can patch their systems by installing the most recent cumulative updates.