Microsoft Patches Two Dozen Critical Flaws in Windows, Browsers

Microsoft’s Patch Tuesday updates for April 2018 resolve a total of 66 vulnerabilities, including nearly two dozen critical issues affecting Windows and the company’s web browsers.

None of the flaws patched this month appear to have been exploited in the wild, but one privilege escalation vulnerability discovered by a Microsoft researcher in SharePoint has been disclosed to the public.

A majority of the critical flaws affecting Internet Explorer and Edge are related to scripting engines and they allow remote code execution.

A remote code execution flaw affecting the VBScript engine has also been rated critical. The security hole can be exploited via malicious websites or documents. Trend Micro’s Zero Day Initiative (ZDI) noted that while this is similar to browser bugs, the attack surface is broader due to the possibility of exploitation using Office documents.

Several critical vulnerabilities that allow remote code execution have also been found in graphics components, specifically font libraries and how they handle embedded fonts.

“Since there are many ways to view fonts – web browsing, documents, attachments – it’s a broad attack surface and attractive to attackers. Given the history of malicious fonts, these patches should be high on your test and deployment list. This is also a good time to remind you to not do day-to-day tasks as an administrator,” ZDI’s Dustin Childs explained in a blog post.

Microsoft also informed customers that its Wireless Keyboard 850 is affected by a security feature bypass vulnerability that can be exploited to simulate keystrokes and send malicious commands to the targeted computer. An attacker could also exploit this flaw to read keystrokes, which can include sensitive information, such as passwords.

“[The vulnerability] could allow an attacker to reuse an AES encryption key to send keystrokes to other keyboard devices or to read keystrokes sent by other keyboards for the affected devices. An attacker would first have to extract the AES encryption key from the affected keyboard device. The attacker would also need to maintain physical proximity – within wireless range – of the devices for the duration of the attack,” Microsoft said.

Adobe’s Patch Tuesday updates address a total of 19 vulnerabilities across six products. Six flaws have been fixed in Flash Player, which Microsoft also resolved in Windows.

Earlier this month, Microsoft announced the release of an update for its Malware Protection Engine to patch a critical vulnerability that could have been exploited to take control of a system by placing a malicious file in a location where it would be scanned.

Related: Microsoft Patches for Meltdown Introduced Severe Flaw

Related: Microsoft Releases More Patches for Meltdown, Spectre

Related: Microsoft Patches for CPU Flaws Break Windows, Apps

view counter

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs: