Microsoft Releases More Spectre/Meltdown Patches

It’s shaping up to be a relatively light patch load for administrators this month, with just 15 critical vulnerabilities to fix out of a total of 75.

The update round covered a pretty wide range of products as usual: including Internet Explorer (IE), Edge, ChakraCore, Microsoft Windows, Microsoft Office, Exchange and ASP.NET Core.

Two have been publicly disclosed, meaning that hackers may be exploiting them in the wild, although the bugs themselves are only rated “Important”. They are: CVE-2018-0940, affecting Microsoft Exchange Server 2010-2016 and CVE-2018-0808, which hit ASP.NET Core 2.0 systems.

“The Windows Kernel received a lot of attention this month, likely due to the ongoing attention on Meltdown and Spectre vulnerabilities. I stopped counting the CVEs after a dozen,” said Ivanti director of product management, security, Chris Goettl. “The good news is I did not see anything higher than an Important rating, but those are a lot of changes in the Kernel. Test the OS updates well this month.”

As regards Spectre and Meltdown, Microsoft has released patches for 32-bit versions of Windows 7 and 8.1, as well as Server 2008 and 2012.

All the critical updates fix problems in the browser, or browser-related technologies and should be dealt with first, claimed Qualys director of product management, Jimmy Graham.

He highlighted another “Important” vulnerability for special attention. CVE-2018-0886 affects security support protocol CredSSP, which is used to process authentication requests and could allow could allow an attacker with Man in the Middle capabilities to gain full access to a Remote Desktop Protocol (RDP) session.

“While CredSSP is used for other applications, the attack scenario mentioned by Microsoft involves Remote Desktop. The update covers both the CredSSP protocol used by the RDP server as well as the RDP clients,” he explained. 

Group Policy settings must be enabled to ensure full mitigation of the vulnerability for RDP. Microsoft has also given a tentative timeline for additional updates. In April, new versions of the RDP client will be released to add better error messages, and in May an update will be released to prevent clients from connecting using insecure versions of CredSSP.”

Adobe also released patches for seven vulnerabilities.

What’s Hot on Infosecurity Magazine?