14 DAY TRIAL // It’s a busy month for Microsoft, and after releasing emergency updates last week to address Meltdown and Spectre vulnerabilities, the company kicked off the monthly Patch Tuesday rollout a few hours ago with more fixes for Windows, Office, Edge, and ASP.NET.
This time, a total of 55 vulnerabilities are being fixed with Patch Tuesday updates and no less than 16 of them are rated as critical, while 38 were labeled important. No less than 20 are said to allow remote code execution (RCE), enabling attackers to take control of an unpatched system.
Out of the vulnerabilities fixed this month, four of them have been publicly disclosed, and one has been confirmed to be targeted by exploits available in the wild.
Meltdown and Spectre updates
Meltdown and Spectre patches should be prioritized unless they have already been addressed, and IT admins and consumers alike should also pay particular attention to the publicly-disclosed flaws.
Three of them are part of the Meltdown and Spectre fiasco and have already been documented by Microsoft. There’s one Meltdown vulnerability which users can fix with a patch making code changes to the kernel, while the two Spectre flaws require firmware updates, also available from Microsoft and other vendors.
The fourth and last publicly-disclosed vulnerability affects Office for Mac and can allow an attacker to gain the same rights as the logged-in user. Microsoft says this flaw isn’t exploited in the wild and claims exploitation is less likely, though it recommends users to patch as soon as possible. Only Microsoft Office 2016 for Mac is affected by the vulnerability documented in CVE-2018-0819.
There are no reports of botched updates so far, and everyone is recommended to install them as fast as possible on their systems. Reboots are required to complete the install.
Microsoft has published detailed information for each patch in the Security Update Guide here, though the advisories are mostly aimed at IT pros who want to look into severity and impact before deployment.