Microsoft Fixes 66 Bugs in April Patch Tuesday Release
Target: Users using the affected software.
Attack Vector: Various methods of delivery.
Summary: Microsoft Patch Tuesday updates have been released for April including 66 CVE listed vulnerabilities, 24 of which are rated critical. The count of patches are fewer than recently observed, however, the number of vulnerabilities rated critical has increased by almost 50 percent, the majority of these being in browsers and browser-related technologies. The security updates were rolled out across numerous pieces of software, with elevation of privilege, bypass and remote code execution vulnerabilities making up a large portion of this month’s issue.
One of the most notably important flaws Microsoft focused on is an elevation privilege bug, CVE-2018-1034, which could allow an authenticated attacker to install programs, access stored data or create new accounts with full user rights on Windows 7 and Server 2008 R2 machines. Five font based flaws were also a major focus for Microsoft this month that could allow attackers to take control of the victim’s system through specially crafted websites and fonts. Furthermore, a Microsoft Wireless Keyboard 850 Security Feature Bypass Vulnerability, CVE-2018-8117, has also been observed, which could allow an attacker to log keystrokes.
Risk assessment summary: The threat is assessed as 4c LOW. Although there are several vulnerabilities in this release which could potentially be exploited by actors and an increase in critical vulnerabilities compared to last month, there is only one zero-day flaw. This flaw is identified as CVE-2018-1034 which is most likely used for cross-site scripting attacks. The elevation of privilege vulnerability leaves users at risk who installed the security updates in January and can only be fixed by the user installing the new service updates. The Microsoft Wireless Keyboard 850 Security Feature Bypass Vulnerability has been patched by Microsoft who have enhanced the security by mandating unique AES encryption keys. The last vulnerability detailed is the remote code flaw in the Microsoft Malware Protection Engine. Microsoft released an emergency patch to mitigate this flaw earlier in the week.