This month's Patch Tuesday is medium in weight, with 54 CVEs containing 17 Criticals. All but two of the Critical vulnerabilities are in Microsoft's browsers or browser-related technologies. An additional speculative execution vulnerability announced in June was patched as well. Adobe has also released patches covering multiple product each with multiple CVEs.
Browser Vulnerabilities
The 16 CVEs covering browsers should be prioritized for workstation type devices, meaning any system where users are commonly accessing the public internet through a browser or checking email. This includes multi-user servers that are used as remote desktops for users.
Lazy FP State Restore
Following June's Patch Tuesday, Microsoft released information on all supported versions of Windows covering a new side-channel attack on speculative execution. This vulnerability is similar to other Meltdown/Spectre vulnerabilities, and does require the attacker to execute code on a vulnerable system. Patches have been made available for this Patch Tuesday, and are ranked as Important.
PowerShell Editor Services
A vulnerability was patched in PowerShell Editor Services. Microsoft has not provided a CVSS score for this vulnerability at the time of this posting, but has ranked it as Critical.
Microsoft Exchange / Oracle Outside In library
Microsoft also released out-of-band patches in June for Exchange Server that addresses vulnerabilities patched in the Oracle Outside In library. These patches should be prioritized for all Exchange servers.
Adobe
Adobe has released several patches covering Acrobat, Reader, Flash, Adobe Connect, and Adobe Experience Manager. Vulnerabilities in Acrobat, Reader, and Flash have been marked as critical. Flash has one critical CVE, while Acrobat and Reader have over 50. Microsoft has provided patches for Flash on supported operating systems. These patches should be prioritized for all workstation type systems.
Attachments
Original document
Permalink
Disclaimer
Qualys Inc. published this content on 10 July 2018 and is solely responsible for the information contained herein. Distributed by Public, unedited and unaltered, on 10 July 2018 18:38:01 UTC
Qualys, Inc. is a provider of a cloud-based platform delivering information technology (IT), security and compliance solutions. The Companyâs integrated suite of IT, security and compliance solutions delivered on Qualys' Enterprise TruRisk Platform enables its customers to identify and manage their IT and operational technology (OT) assets, collect, and analyze large amounts of IT security data, recommend, and implement remediation actions and verify the implementation of such actions. It provides its solutions through a software-as-a-service model, primarily with renewable annual subscriptions. Its cloud platform offers an integrated suite of solutions that automates the lifecycle of asset discovery and management, security and compliance assessments, and remediation for an organizationâs IT infrastructure and assets, whether such infrastructure and assets reside inside the organization, on their network perimeter, on endpoints or in the cloud.