All eyes may be on Build 2018 this week, but it’s also Patch Tuesday. Microsoft on Tuesday released a bundle of security updates to fix at least 67 holes in its various Windows 10 operating systems and related software, including two critical remote code-execution vulnerabilities, both of which are under active attack. The most serious of the two is tied to a Windows 10 VBScript engine and can be triggered when a victim visits a malicious website.
“A user need only visit a malicious website to have attacker-control code execute on their machine,” according to Microsoft’s description of the bug (CVE-2018-8174). The flaw could also be used in conjunction with a malicious ActiveX control marked “safe for initialization” in an app, Office Doc or within IE’s rendering engine, Microsoft said.
For April 2018 Update users, May’s update is rolling out as KB4103721 and build 17134.48. Here’s a look at what’s fixed:
▬ Addresses an issue with the April 2018 Windows Servicing update that causes App-V Scripts (User Scripts) to stop working.
▬ Addresses an issue that prevents certain VPN apps from working on builds of Windows 10, version 1803. These apps were developed using an SDK version that precedes Windows 10, version 1803 and uses public RasSetEntryProperties API.
▬ Addresses additional issues with updated time zone information.
▬ Addresses an issue that may cause an error when connecting to a Remote Desktop server. For more information, see CredSSP updates for CVE-2018-0886.
▬ Security updates to Windows Server, Microsoft Edge, Internet Explorer, Microsoft scripting engine, Windows app platform and frameworks, Windows kernel, Microsoft Graphics Component, Windows storage and filesystems, HTML help, and Windows Hyper-V.
Meanwhile, as it usually does on Microsoft’s Patch Tuesday — the second Tuesday of each month — Adobe has a new Flash Player update, which brings Flash Player to v. 220.127.116.11 that addresses a single but critical security weakness. Some (present company included) would argue that Flash Player is itself “a single but critical security weakness.” Nevertheless, Google Chrome and Internet Explorer/Edge ship with their own versions of Flash, which get updated automatically when new versions of these browsers are made available.
You can check if your browser has Flash installed/enabled and what version it’s at by pointing your browser at this link. Adobe is phasing out Flash entirely by 2020, but most of the major browsers already take steps to hobble Flash. And with good reason: It’s a major security liability.