14 DAY TRIAL // Microsoft has released new security updates as part of the July 2018 Patch Tuesday cycle, with a total of 54 vulnerabilities addressed this month.
Out of the 17 critical security flaws that the software giant resolves with these updates, no less than 15 impact Microsoft’s browser, which emphasizes just how critical is for Internet Explorer and Microsoft Edge users to install them as soon as possible.
Of particular highlight this month is CVE-2018-0949, which is an Internet Explorer security feature bypass vulnerability that affects the browser on all supported versions of Windows.
“A security feature bypass vulnerability exists when Microsoft Internet Explorer improperly handles requests involving UNC resources. An attacker who successfully exploited the vulnerability could force the browser to load data that would otherwise be restricted,” Microsoft explains.
In order to exploit the flaw, an attacker needs a vulnerable system to load a crafted website in an unpatched instance of Internet Explorer, the company further adds. Exploitation is more likely, Microsoft emphasizes, though the company isn’t aware of any attacks in the wild, and the flaw wasn’t publicly disclosed.
Microsoft Edge patch
Microsoft Edge in Windows 10 April 2018 Update is also affected by an important security flaw detailed in CVE-2018-8289 and possibly providing attackers with information that would then help compromise the user’s system.
“In all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could trick a user into clicking a link that takes the user to the attacker's site,” Microsoft says.
Exploitation is more likely in this case, and the flaw does not exist in older Windows 10 versions. The vulnerability was not publicly disclosed.
As with every Patch Tuesday rollout, the new fixes are available right now via Windows Update and a reboot is required to complete deployment. There are no reports of botched updates so far.