Microsoft Fixes 54 Vulnerabilities on July’s Patch Tuesday

Microsoft fixed 54 vulnerabilities across its products July 10 as part of its monthly patch cycle. Seventeen of those flaws are rated critical and three of them have been publicly disclosed before the patches were released.

In terms of impact, nearly half of the flaws—27—can lead to remote code execution. Eight vulnerabilities can be used to bypass security features, seven can lead to privilege escalation, four can lead to denial of service, five can lead to information disclosure, two can lead to tampering and two can lead to spoofing.

The patched vulnerabilities affect 15 products, including Windows, Internet Explorer, Microsoft Edge, Microsoft Office and Office Services, .NET Framework, Visual Studio, PowerShell Editor Services and the Microsoft Research JavaScript Cryptography Library.

“The 16 CVEs covering browsers should be prioritized for workstation type devices, meaning any system where users are commonly accessing the public internet through a browser or checking email,” Jimmy Graham, director of product management at vulnerability management firm Qualys, said in a blog post. “This includes multi-user servers that are used as remote desktops for users.”

Only two of the patched critical vulnerabilities are not located in Microsoft’s browsers. One affects the PowerShell Editor Services and should be prioritized because PowerShell has become a preferred method for attackers to deliver malicious payloads over the past few years.

Microsoft also released patches for a Spectre-like side-channel vulnerability called LazyFP that was publicly disclosed in June and stems from the speculative execution feature of Intel CPUs.

Qualys’ Graham also reminds systems administrators that Microsoft released out-of-band patches in June for Exchange Server to patch flaws identified in a third-party file parsing library called Oracle Outside In. If they haven’t been deployed yet, those patches should be prioritized as well.

Intel has also released a batch of 12 security advisories for vulnerabilities that affect its hardware and software products. This is reportedly part of the company’s plan to switch to a quarterly release schedule for security updates that’s better aligned with the patch cycles of other vendors, including Microsoft.

Adobe Squashes 100+ Bugs in Reader, Acrobat, Other Products

Adobe has released its monthly batch of security patches, addressing 104 vulnerabilities in Adobe Reader and Acrobat, Adobe Connect, Adobe Experience Manager and Flash Player.

The vast majority of the flaws, 96, were patched in Reader and Acrobat and are rated critical or important. Their successful exploitation can lead to arbitrary code execution, privilege escalation or information disclosure.

Fortunately, Adobe is not aware of attacks in the wild that are exploiting any of those flaws. The company advises users to update their Adobe and Acrobat DC installations to version 2018.011.20055 if they are on the Continuous track, to version 2017.011.30096 on the Classic 2017 track and to version 2015.006.30434 on the Classic 2015 track.

The security update for the Adobe Connect web conferencing solution fixes two authentication bypass vulnerabilities that could lead to session hijacking and sensitive information disclosure, as well as one insecure DLL loading issue that could be exploited for privilege escalation. Adobe assigned an update priority of 2 for the Connect patches and advises users to upgrade to version 9.8.1.

The company also released patches for Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1 and 6.0 to fix three server-side request forgery (SSRF) vulnerabilities that are rated important and could lead to sensitive information disclosure.

Finally, the updates for Flash Player address a critical arbitrary code execution vulnerability and an information disclosure flaw rated important. Users are advised to update to Flash Player for their respective platforms.

It’s worth noting that this is Adobe’s last scheduled security update before the Black Hat and DEF CON conferences in early August, where security researchers typically gather to discuss vulnerabilities they found throughout the year. This might explain the massive number of flaws patched in Adobe Reader and Acrobat now to avoid any risk of public disclosure.

Lucian Constantin

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin

One thought on “Microsoft Fixes 54 Vulnerabilities on July’s Patch Tuesday

Comments are closed.