With the Windows 10 1803 Spring Creators Update delayed at the eleventh hour for unknown reasons, admins and end users will still receive plenty of updates in the April 2018 Patch Tuesday.
The big picture is 65 security fixes assigned CVE numbers, 23 of which (plus a separate Adobe Flash flaw) are rated critical, with no true zero-days among them.
An critical 66th CVE on the list should already have been fixed a week ago through an emergency patch that Microsoft issued for a remote code execution (RCE) vulnerability (CVE-2018-0986) in the Microsoft Malware Protection Engine (MMPE).
Affecting Security Essentials, Intune Endpoint Protection, Windows Defender, Exchange Server 2013/2016, and Forefront Endpoint Protection 2010, this patch should have been applied automatically via MMPE itself.
A breakdown of the remaining 22 critical flaws shows:
- Seven memory corruption vulnerabilities in the Chakra Scripting Engine (Edge’s JavaScript interpreter).
- Five RCE flaws in Microsoft Graphics’ Windows font library.
- Four affecting Internet Explorer.
- Four affecting the scripting engine also used by Internet Explorer.
- One affecting Windows 10’s Edge browser.
- One RCE in the Windows VBScript engine.
The five font-themed flaws attracted warnings from experts, including Dustin Childs of vulnerability research company Zero Day Initiative:
Since there are many ways to view fonts – web browsing, documents, attachments – it’s a broad attack surface and attractive to attackers.
A final interesting flaw is CVE-2018-0850, rated “Important” and affecting Microsoft Outlook.
Reported by US CERT CC’s Will Dormann way back in November 2016, the update patches this but not entirely, he said:
This update prevents automatic retrieval of remote OLE objects in Microsoft Outlook when rich text email messages are previewed. If a user clicks on an SMB link, however, this behavior will still cause a password hash to be leaked.
Spectre chip flaws
In parallel news, AMD has issued a Windows microcode update addressing the Spectre variant 2 chip flaw (CVE-2017-5715) that Naked Security covered last week in relation to older Intel microprocessors.
For Windows 10 users, this works in tandem with a Microsoft update (look for “April 2018 Windows OS updates”), installed in conjunction with each PC manufacturer’s BIOS updates. Linux mitigations were released earlier in 2018, AMD said.
TL;DR: in the four words of Naked Security’s security update mantra: patch early, patch often.
Note. The Microsoft Knowledge Base (KB) update number you see depends on your Windows version and build number. The latest Windows 10 build is 16299.371 (1709), for which the update appears as KB4093112.
MikeP
Why is it that people who comment on computer matters and in particular about Microsoft Windows assume that ‘everyone’ uses Windows 10? The latest data reported that More people are still using Windows 7 rather than Windows 10. The latter accounted for just over 30% of the market whilst Windows 7 was reported as being just over 50%. So whilst it is right to report in W10 issues, you should also report in those affecting W7 and W8/W8.1 (which I am using to type this comment). Security issues are just as important for users of earlier versions, maybe more so as they approach their ‘end of life’ date.
mike@gmail.com
Isn’t that what Microsofts website is for? If you hear about 24 critical windows 10 vulns and aren’t checking to see what’s what for windows 7, you’re an idiot. And if you’re not an idiot, the article did it’s job.
Anonymous
I totally agree, I will never use Windows 10, I still use Windows 7 and it works perfectly so I also want to know.
John E Dunn
I don’t think the article does that except to reflect the fact that the focus of Microsoft’s patching effort shifted when it ended mainstream support for Windows 7 SP1 in 2015 (extended support ends in January 2020 after which, officially, there will be no more security updates).
Breaking down patches by product is also difficult – there are five builds of Windows 10 alone, plus server editions, Office applications and, as you point out, Windows 7.
Anonymous
Version 1803 (OS Build 17133.73) On My ASUS !! EEYYEEAA !!
Christopher Michael
Windows 10 is spyware and adware itself, how do protect yourself from that may I ask?
Mahhn
Sophos free firewall, get a list of IP ranges for MS, google, .gov, and block them. A little monitoring to see what else it might be doing.
Paul Ducklin
If you already know it to be spyware and adware, why are you running it? There are loads of alternatives that are under active development and that receive regular updates. Take a look at Linux, FreeSBD, OpenBSD, and so on.
Here’s a light-hearted way to get started:
https://nakedsecurity.sophos.com/2017/12/27/holiday-fun-1-try-an-unusual-operating-system/
Scot
You’re a masochist if you install MS updates when they become available. The cumulative patching system was supposed to make patching easier, but it’s just gotten worse and worse. As buggy updates are released it’s now a monthly decision between “patch vulnerabilities now but break shit” or “be vulnerable but have a working PC”. That’s not acceptable, especially when Windows 7’s cumulative patches SINCE JANUARY have been an absolute charlie foxtrot. I have not approved them for 200 users because the sheer amount of bugs is ridiculous. They are still fixing bugs from Jan while introducing MORE in Feb and March. NO THANKS. I’d rather have happy employees and let our firewall sort out the rest until MS gets its act together.
Mahhn
If you have standard systems, and a couple extra, depending on if the vulnerabilities effect you – you might want to patch a couple test systems to evaluate rolling out updates.