The loudest is a remote code execution vulnerability in the Windows VBScript Engine affecting all versions of Windows, first spotted being exploited by nation state cybercriminals three weeks ago by Chinese security firm Qihoo 360.
Dubbed ‘Double Kill’ (CVE-2018-8174), it can be deployed in a number of ways, including by luring an Internet Explorer user to a malicious website with embedded VBScript, using an ActiveX control marked ‘safe for initialization’, or via a malicious RTF file in an Office document.
Any one of these scenarios gives attackers control over the victim’s computer for data theft, eavesdropping or deploying ransomware, Microsoft said, hence the need to apply a patch as a high priority.
The next 0-day is CVE-2018-8120, an elevation-of-privilege vulnerability in the Win32k subsystem of Windows 7 32/64-bit and Windows Server 2008 R2.
An attacker would need to be logged into the target already in order to exploit the flaw, which is why it’s listed as ‘important’ rather than critical.
Microsoft hasn’t said how it’s being exploited, but having this kind of vulnerability to hand is gold for cybercriminals, which is why it should also be on the immediate fix list for anyone running Windows 7.
Two others worth mentioning are CVE-2018-8141, a kernel information disclosure flaw affecting Windows 10 1709, and CVE-2018-8170, an elevation of privilege vulnerability in Windows 1709 and 1703 32-bit.
Both are marked important rather than critical but information about them is said to be in the public domain without exploits having been detected.
The best of the rest
Microsoft’s May vulnerability count reaches 68 CVEs, 21 of which are rated critical, 45 important, and only two low impact.
Microsoft’s site offers plenty of detail on these vulnerabilities by platform and product but you’ll find a quicker-to-digest summary here.
Still fixing Flash
It’s not just Microsoft who is issuing patches – Adobe has fixed five CVEs.
One worth underlining is a critical fix for Flash Player (CVE-2018-4944) affecting all platforms including Windows 10 (Edge) and 8.1 and Server 2012/R2 (IE). The vulnerable version is 220.127.116.11, which requires an update to 18.104.22.168.
Flash is on its way out, but it’s likely that plenty of systems still have it installed and running for one reason or another, which is why we mark it for special attention.