Microsoft’s April security updates include fixes for 66 vulnerabilities in Windows components, the Edge and Internet Explorer browsers, the Office suite, the Hyper-V hypervisor, Visual Studio and even a wireless keyboard. Of the 66 flaws, 22 are rated critical.
“The majority of the Microsoft critical vulnerabilities are in browsers and browser-related technologies,” said Jimmy Graham, director of product management at Qualys, in a blog post. “It is recommended that these be prioritized for workstation-type devices. Any system that accesses the internet via a browser should be patched.”
Another five critical vulnerabilities, for which patches should be prioritized on both workstations and servers, are located in the Microsoft Graphics component, particularly in the font library. These flaws can be exploited either through malicious fonts embedded into websites or locally through specially crafted documents.
This month’s security bulletin also includes a fix for a critical remote code execution vulnerability in the Microsoft Malware Protection Engine (MMPE) that Microsoft patched out-of-band last week. MMPE sits at the core of Microsoft’s anti-malware products including Windows Defender and Microsoft Security Essentials.
While none of the vulnerabilities patched this month were used in attacks, there is one elevation of privilege flaw in Microsoft SharePoint for which details have been publicly disclosed in advance.
Microsoft’s Office suite received fixes for 13 vulnerabilities, many of which allow for remote code execution through malformed files. However, they are rated as important because they are harder to exploit due to the suite’s protected mode which is enabled by default.
In addition to security patches, Microsoft also released microcode updates for systems using AMD CPUs to mitigate the Spectre version 2 vulnerability. Unlike Meltdown, which only affects Intel CPUs, and Spectre variant 1, which was mitigated through software updates, Spectre variant 2 requires both software and microcode updates.
Like Intel, AMD has added new features to its CPU microcode that can be used to prevent branch target injection, the technique behind Spectre variant 2. Updated microcode has been released for all of the company’s CPUs going back to the “Bulldozer” generation released in 2011.
For now, Microsoft has made the AMD microcode updates available to computers running Windows 10 (version 1709), but the company will also make them available for Windows Server 2016 in the future.
AMD has also shared the updates with its ecosystem partners, so the patches will be directly incorporated into BIOS updates released by PC, server and motherboard manufacturers.
Adobe Fixes Serious Vulnerabilities in Flash Player and Other Products
Adobe Systems also had a busy day April 10, releasing security patches for vulnerabilities in Flash Player, Adobe Experience Manager, Adobe InDesign CC, Digital Editions and the Adobe PhoneGap Push plugin.
The Flash Player update fixes three critical remote code execution flaws and three information disclosure issues rated as important. Users are advised to upgrade to Flash Player version 220.127.116.11 if they’re using the standalone runtime for Windows, macOS and Linux.
The Flash Player plug-in bundled with Google Chrome and Microsoft Edge will be updated automatically through those browsers’ respective update mechanisms.
Adobe Experience Manager, an enterprise content management system, received patches for three cross-site scripting vulnerabilities, two rated as important and one as moderate. Adobe InDesign CC was updated to version 13.1 to fix a critical memory corruption issue that can be exploited for arbitrary code execution, as well as an important search path vulnerability that can lead to local privilege escalation.
Adobe Digital Editions, an ebook reader software for publishers, received fixes for two information disclosure issues, while the Push plug-in used in the Adobe PhoneGap apps received a fix for a same-origin method execution issue that can be used to trick PhoneGap users into executing click events and other unintended interactions.