14 DAY TRIAL // Microsoft has published this month’s Patch Tuesday updates, fixing a total of 51 vulnerabilities in products like Windows operating systems, Microsoft Edge and Internet Explorer browsers, and Microsoft Office productivity suite.
What’s very important to note is that this is a rather light security cycle, as no zero-days have been discovered, though this doesn’t mean that you should delay patching systems.
First and foremost, Microsoft has released further mitigations for the Spectre variant 4 vulnerability, and now Intel is expected to ship new microcode updates to address the flaw as well.
Additionally, the software giant fixes CVE-2018-8225, a Windows DNSAPI Remote Code Execution flaw that could allow an attacker to run arbitrary code in the context of Local System Account. “To exploit the vulnerability, the attacker would use a malicious DNS server to send corrupted DNS responses to the target,” Microsoft says, adding that this update changes the way DNSAPI.dll handles DNS responses.
The software giant claims exploitation is less likely and there are no known exploits in the wild right now. All Windows versions are affected, including Windows 10.
No known attacks in the wild
There’s also a critical flaw documented in CVE-2018-8231 and allowing for remote code execution. “A remote code execution vulnerability exists when HTTP Protocol Stack (Http.sys) improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code and take control of the affected system,” Microsoft notes, also adding that exploitation is less likely.
In order to exploit the flaw, an attacker needs to send a crafted file to an HTTP.sys server, and this new update corrects the way the HTTP Protocol Stack handles objects in memory. This time, only Windows 10 is affected and users are recommended to patch as soon as possible.
All the June 2018 updates are available via Windows Update right now, and there are no known bugs for the time being. A reboot will be required.