Microsoft has fixed 65 vulnerabilities this month, over a third of which are critical and stretch across OS, browser and Office environments.
One of the most important fixes of this month’s security update round was released out-of-band in March. CVE-2018-1038 fixed a bad patch rolled out in January and should be a “top priority” for Windows 7 for x64-based Systems or Windows Server 2008 R2 for x64-based Systems, according to Ivanti director of product management, security, Chris Goettl.
He claimed that critical flaws in the OS, browser and Office would keep admins busy this month.
“There are multiple critical vulnerabilities in the Windows Operating System, Internet Explorer and Edge browsers, and on Office this month,” Goettl explained. “There are a few critical kernel vulnerabilities resolved, several Microsoft graphics and TrueType font driver vulnerabilities resolved and a host of critical browser vulnerabilities resolved.”
Elsewhere, Microsoft has disclosed but not patched an Important rated SharePoint elevation of privilege bug (CVE-2018-1034) which has been publicly disclosed but not exploited yet in the wild.
Greg Wiseman, senior security researcher at Rapid7 highlighted an unusual patch for a Microsoft Wireless Keyboard 850 vulnerability.
“CVE-2018-8117 is a security feature bypass vulnerability, where an attacker able to extract the encryption key from a keyboard could then wirelessly send and/or read keystrokes, potentially reading sensitive data such as passwords or issuing malicious commands to a connected system,” he explained.
“At a high level, there's nothing out of the ordinary this month. Unfortunately, that means that the majority of the patched vulnerabilities are once again of the worst variety: Remote Code Execution (RCE).”
Also this month, Microsoft finally removed its AV compliance key restriction designed to prevent BSOD crashes when installing Meltdown/Spectre updates.
Alongside Microsoft there are the ubiquitous Adobe updates for system administrators to deal with this month.
The firm has patched 19 vulnerabilities in Flash Player, Experience Manager, InDesign, Digital Editions, Coldfusion, and the PhoneGap Push Plugin, six of which are critical.