Microsoft June 2018 Patch Tuesday Fixes 50 Security Issues

Patch Tuesday

Microsoft has released the June 2018 Patch Tuesday security updates, and this month's release comes with fixes for 50 vulnerabilities.

Fixes are included for the Windows OS, Internet Explorer, Microsoft Edge, the ChakraCore JavaScript engine, and Microsoft Office and Microsoft Office Services and Web Apps.

No Windows zero-days this month

There are no Windows zero-days in this month's Patch Tuesday, but Microsoft patched CVE-2018-8267, a remote code execution vulnerability whose existence was publicly disclosed last week.

In addition to releasing the regular Patch Tuesday updates, Microsoft has also published KB4338110, a standalone security advisory that contains coding guidance for avoiding the creation of apps vulnerable to a padding oracle attack via the Cipher-Block-Chaining (CBC) mode when used with symmetric encryption algorithms.

Apps developed with this flaw allow an attacker to decrypt and tamper with encrypted data without knowing the encryption key, and the attack can be performed both locally and/or over a network.

Furthermore, after installing this month's Patch Tuesday, everybody's Meltdown and Spectre mitigations will be toggled to the below settings.

Operating SystemCVE-2017-5715 (Spectre variant 2)CV-2017-5754 (Meltdown)CVE-2018-3639 (Spectre variant 4 aka SpectreNG)
Windows 10Enabled by defaultEnabled by defaultDisabled by default - see ADV180012
Windows Server 2016Disabled by default - see KB4072698Disabled by default - see KB4072698Disabled by default - see ADV180012
Windows 8.1Enabled by defaultEnabled by defaultNot applicable
Windows Server 2012 R2Disabled by default - see KB4072698Disabled by default - see KB4072698Disabled by default - see ADV180012
Windows RT 8.1Enabled by defaultEnabled by defaultNot applicable
Windows 7Enabled by defaultEnabled by defaultDisabled by default - see ADV180012
Windows Server 2008 R2Disabled by default - see KB4072698Disabled by default - see KB4072698Disabled by default - see ADV180012
Windows Server 2008Enabled by defaultEnabled by defaultNot applicable

Flash fixes also included

Last but not least, the Microsoft June 2018 Patch Tuesday also includes a patch for an Adobe Flash Player zero-day (CVE-2018-5002) that Adobe patched last week.

Below is a table listing of all the security issues Microsoft fixed this month. We used PowerShell and the Microsoft API to assemble the table below, but the report is much longer. We hosted the full report on GitHub, here.

If you're not interested in all security updates and you'd like to filter updates per product, you can use Microsoft's official Security Update Guide, available here.

TagCVE IDCVE Title
Adobe Flash PlayerADV180014June 2018 Adobe Flash Security Update
Microsoft OfficeADV180015Microsoft Office Defense in Depth Update
Device GuardCVE-2018-8215Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
Device GuardCVE-2018-8212Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
Device GuardCVE-2018-8211Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
Device GuardCVE-2018-8221Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
Device GuardCVE-2018-8217Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
Device GuardCVE-2018-8216Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
Device GuardCVE-2018-8201Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
HID Parser LibraryCVE-2018-8169HIDParser Elevation of Privilege Vulnerability
Internet ExplorerCVE-2018-0978Internet Explorer Memory Corruption Vulnerability
Internet ExplorerCVE-2018-8113Internet Explorer Security Feature Bypass Vulnerability
Internet ExplorerCVE-2018-8249Internet Explorer Memory Corruption Vulnerability
Microsoft EdgeCVE-2018-8110Microsoft Edge Memory Corruption Vulnerability
Microsoft EdgeCVE-2018-8111Microsoft Edge Memory Corruption Vulnerability
Microsoft EdgeCVE-2018-8236Microsoft Edge Memory Corruption Vulnerability
Microsoft EdgeCVE-2018-8235Microsoft Edge Security Feature Bypass Vulnerability
Microsoft EdgeCVE-2018-0871Microsoft Edge Information Disclosure Vulnerability
Microsoft EdgeCVE-2018-8234Microsoft Edge Information Disclosure Vulnerability
Microsoft NTFSCVE-2018-1036NTFS Elevation of Privilege Vulnerability
Microsoft OfficeCVE-2018-8246Microsoft Excel Information Disclosure Vulnerability
Microsoft OfficeCVE-2018-8247Microsoft Office Elevation of Privilege Vulnerability
Microsoft OfficeCVE-2018-8244Microsoft Outlook Elevation of Privilege Vulnerability
Microsoft OfficeCVE-2018-8245Microsoft Office Elevation of Privilege Vulnerability
Microsoft OfficeCVE-2018-8254Microsoft SharePoint Elevation of Privilege Vulnerability
Microsoft OfficeCVE-2018-8248Microsoft Excel Remote Code Execution Vulnerability
Microsoft OfficeCVE-2018-8252Microsoft SharePoint Elevation of Privilege Vulnerability
Microsoft Scripting EngineCVE-2018-8229Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting EngineCVE-2018-8227Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting EngineCVE-2018-8267Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting EngineCVE-2018-8243Scripting Engine Memory Corruption Vulnerability
Microsoft WindowsCVE-2018-8175WEBDAV Denial of Service Vulnerability
Microsoft WindowsCVE-2018-1040Windows Code Integrity Module Denial of Service Vulnerability
Microsoft WindowsCVE-2018-8251Media Foundation Memory Corruption Vulnerability
Microsoft WindowsCVE-2018-0982Windows Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2018-8208Windows Desktop Bridge Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2018-8209Windows Wireless Network Profile Information Disclosure Vulnerability
Microsoft WindowsCVE-2018-8214Windows Desktop Bridge Elevation of Privilege Vulnerability
Microsoft WindowsCVE-2018-8210Windows Remote Code Execution Vulnerability
Microsoft WindowsCVE-2018-8213Windows Remote Code Execution Vulnerability
Microsoft WindowsCVE-2018-8205Windows Denial of Service Vulnerability
Microsoft WindowsCVE-2018-8231HTTP Protocol Stack Remote Code Execution Vulnerability
Microsoft WindowsCVE-2018-8239Windows GDI Information Disclosure Vulnerability
Microsoft WindowsCVE-2018-8226HTTP.sys Denial of Service Vulnerability
Microsoft WindowsCVE-2018-8225Windows DNSAPI Remote Code Execution Vulnerability
Windows Hyper-VCVE-2018-8218Windows Hyper-V Denial of Service Vulnerability
Windows Hyper-VCVE-2018-8219Hypervisor Code Integrity Elevation of Privilege Vulnerability
Windows KernelCVE-2018-8207Windows Kernel Information Disclosure Vulnerability
Windows KernelCVE-2018-8233Win32k Elevation of Privilege Vulnerability
Windows KernelCVE-2018-8224Windows Kernel Elevation of Privilege Vulnerability
Windows KernelCVE-2018-8121Windows Kernel Information Disclosure Vulnerability
Windows ShellCVE-2018-8140Cortana Elevation of Privilege Vulnerability

Source link