Yesterday, Microsoft released its latest security patch which fixed a total of 75 flaws, including more than a dozen critical vulnerabilities affecting the Internet Explorer and Edge web browsers.
This month, the security experts rated critical all the security holes which affected the web browsers. Most of the issues have been described as remote code execution flaws which exist due to the way browser scripting engines handle objects in memory.
According to the researchers, the only critical vulnerability which cannot be exploited for arbitrary code execution can lead to disclosure of information that can be leveraged to further hack of the targeted system.
Two of the vulnerabilities patched by Microsoft have been publicly disclosed before even being released, however, they are only rated as “important,” and no evidence of malicious exploitation has been found.
The above-mentioned bugs are a denial-of-service (DoS) issue in ASP.NET and a privilege escalation in Exchange.
The Zero Day Initiative (ZDI) pointed out that the Exchange vulnerability exists in the Outlook Web Access (OWA) component and it can be exploited for phishing attacks.
The other privilege of the escalation flaw is that it affects the Windows installer and lets an authenticated attacker run arbitrary code with elevated permissions.
“At first glance, this doesn’t seem very crucial since an attacker would need the ability to run programs on a target system to exploit this vulnerability,” ZDI writes. “However, this type of bug is often used by malware authors to “piggyback” their malicious code on top of innocuous code. It’s always easier to convince someone to install ‘GreatNewGame.exe’ instead of ‘EvilMalware.exe’.”
The CVE-2018-0886 vulnerability is another remote code execution bug which affects the Credential Security Support Provider (CredSSP) protocol. In order to eliminate all the potential threats, PC users should apply the latest Microsoft’s patch making some settings changes as well.
The latest Microsoft’s security updates also fix vulnerabilities in Hyper-V, Access, SharePoint, Identity Manager, and Windows. In addition, the company has updated all the Flash Player components in its products to address a couple of vulnerabilities that Adobe fixed yesterday.