July Patch 2018 Tuesday – Critical browser patches, Lazy FP, Exchange, Adobe vulns

This month’s Patch Tuesday is medium in weight, with 54 CVEs containing 17 Criticals. All but two of the Critical vulnerabilities are in Microsoft’s browsers or browser-related technologies. An additional speculative execution vulnerability announced in June was patched as well. Adobe has also released patches covering multiple product each with multiple CVEs.

Browser Vulnerabilities

The 16 CVEs covering browsers should be prioritized for workstation type devices, meaning any system where users are commonly accessing the public internet through a browser or checking email. This includes multi-user servers that are used as remote desktops for users.

Lazy FP State Restore

Following June’s Patch Tuesday, Microsoft released information on all supported versions of Windows covering a new side-channel attack on speculative execution. This vulnerability is similar to other Meltdown/Spectre vulnerabilities, and does require the attacker to execute code on a vulnerable system. Patches have been made available for this Patch Tuesday, and are ranked as Important.

PowerShell Editor Services

A vulnerability was patched in PowerShell Editor Services. Microsoft has not provided a CVSS score for this vulnerability at the time of this posting, but has ranked it as Critical.

Microsoft Exchange / Oracle Outside In library

Microsoft also released out-of-band patches in June for Exchange Server that addresses vulnerabilities patched in the Oracle Outside In library. These patches should be prioritized for all Exchange servers.

Adobe

Adobe has released several patches covering Acrobat, Reader, Flash, Adobe Connect, and Adobe Experience Manager. Vulnerabilities in Acrobat, Reader, and Flash have been marked as critical. Flash has one critical CVE, while Acrobat and Reader have over 50. Microsoft has provided patches for Flash on supported operating systems. These patches should be prioritized for all workstation type systems.