14 DAY TRIAL // Patch Tuesday brought not only a bunch of new cumulative updates for Windows 10, but also security fixes for no less than 75 vulnerabilities, out of which 15 are rated as critical.
While this is considered quite a light Patch Tuesday in terms of the security flaws that are being addressed, browsers and technologies are in one way or another related to browsers (such as browsing engines) are the ones accounting for all critical updates this month.
Both Internet Explorer and Microsoft Edge and Internet Explorer are being targeted by this patching cycle, and so are other Windows components like the ASP.NET Core and the PowerShell Core.
There are updates for two publicly-disclosed flaws for Microsoft Exchange Server (CVE-2018-0940) version 2010 to 2016 and ASP.NET Core 2.0 (CVE-2018-0808), but these vulnerabilities are labeled as important, with no attacks recorded.
New Meltdown and Spectre patches
There are also new security updates for Windows 7 and Windows 8.1, both of which are getting additional Meltdown and Spectre mitigations. Microsoft is also expanding hardware flaw patches to more chipsets, after previously shipping updates for Skylake processors.
There are two vulnerabilities whose patching needs to be prioritized in this month’s Patch Tuesday. CVE-2018-0886 describes a security flaw in CredSSP authentication module, and Microsoft says that attackers could exploit it with Remote Desktop. Additional fixes for this bug will be released next month, the company says, with a new version of the RDP client to be released.
Furthermore, CVE-2018-0883 discusses a remote code execution flaw in Windows Shell, which can be exploited after the user launches a malicious file.
All in all, system admins have a lot of patching to do this month, despite the rather small number of critical updates found in Microsoft browsers. System reboots will be needed and just like it happens every month, backups are strongly recommended in case something goes wrong with a patch and rolling back is required.