Update now! Microsoft’s April 2018 Patch Tuesday – 65 vulns, 24 critical

With the Windows 10 1803 Spring Creators Update delayed at the eleventh hour for unknown reasons, admins and end users will still receive plenty of updates in the April 2018 Patch Tuesday.

The big picture is 65 security fixes assigned CVE numbers, 23 of which (plus a separate Adobe Flash flaw) are rated critical, with no true zero-days among them.

An critical 66th CVE on the list should already have been fixed a week ago through an emergency patch that Microsoft issued for a remote code execution (RCE) vulnerability (CVE-2018-0986) in the Microsoft Malware Protection Engine (MMPE).

Affecting Security Essentials, Intune Endpoint Protection, Windows Defender, Exchange Server 2013/2016, and Forefront Endpoint Protection 2010, this patch should have been applied automatically via MMPE itself.

A breakdown of the remaining 22 critical flaws shows:

  • Seven memory corruption vulnerabilities in the Chakra Scripting Engine (Edge’s JavaScript interpreter).
  • Five RCE flaws in Microsoft Graphics’ Windows font library.
  • Four affecting Internet Explorer.
  • Four affecting the scripting engine also used by Internet Explorer.
  • One affecting Windows 10’s Edge browser.
  • One RCE in the Windows VBScript engine.

The five font-themed flaws attracted warnings from experts, including Dustin Childs of vulnerability research company Zero Day Initiative:

Since there are many ways to view fonts – web browsing, documents, attachments – it’s a broad attack surface and attractive to attackers.

A final interesting flaw is CVE-2018-0850, rated “Important” and affecting Microsoft Outlook.

Reported by US CERT CC’s Will Dormann way back in November 2016, the update patches this but not entirely, he said:

This update prevents automatic retrieval of remote OLE objects in Microsoft Outlook when rich text email messages are previewed. If a user clicks on an SMB link, however, this behavior will still cause a password hash to be leaked.

Spectre chip flaws

In parallel news, AMD has issued a Windows microcode update addressing the Spectre variant 2 chip flaw (CVE-2017-5715) that Naked Security covered last week in relation to older Intel microprocessors.

For Windows 10 users, this works in tandem with a Microsoft update (look for “April 2018 Windows OS updates”), installed in conjunction with each PC manufacturer’s BIOS updates. Linux mitigations were released earlier in 2018, AMD said.

TL;DR: in the four words of Naked Security’s security update mantra: patch early, patch often.

Note. The Microsoft Knowledge Base (KB) update number you see depends on your Windows version and build number. The latest Windows 10 build is 16299.371 (1709), for which the update appears as KB4093112.