Today’s Patch Tuesday covers a lot of vulnerabilities, but in terms of critical updates, it is still light. Out of the 75 vulnerabilities covered, only 15 are marked as critical. Adobe has released patches as well, covering 7 vulnerabilities.
All of the critical vulnerabilities from Microsoft are in browsers and browser-related technologies. It is recommended that these be prioritized for workstation-type devices. Any system that accesses the Internet via a browser should be patched.
Out of the remaining “Important” vulnerabilities, one stands out. CVE-2018-0886 is a vulnerability in CredSSP, which is used to process authentication requests. While CredSSP is used for other applications, the attack scenario mentioned by Microsoft involves Remote Desktop. The update covers both the CredSSP protocol used by the RDP server as well as the RDP clients. Group Policy settings must be enabled to ensure full mitigation of the vulnerability for RDP. Microsoft has also given a tentative timeline for additional updates. In April, new versions of the RDP client will be released to add better error messages, and in May an update will be released to prevent clients from connecting using insecure versions of CredSSP.
CVE-2018-0883 is also worth noting, as it is a remote code execution vulnerability in the Windows Shell. It does require the user to download and open a malicious file in order to exploit it, but this patch should also be prioritized for workstation-type systems.
Microsoft has also released patches for Meltdown and Spectre covering more operating systems. 32-bit versions of Windows 7 and 8.1, as well as Server 2008 and 2012 now have mitigations for Meltdown and Spectre. There are still no known attacks on these vulnerabilities.
For Adobe, an update was released for Flash, which is distributed by Microsoft and Adobe to cover all supported platforms. This patch remediates 2 critical vulnerabilities and should be prioritized for workstation-type devices. There are currently no active attacks against these vulnerabilities. Updates were also released for Adobe Connect and Dreamweaver, covering another 3 vulnerabilities. The Dreamweaver vulnerability is marked as Critical.