make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

Vulnerability Information Updates: April 2018

04/23/2018  |  By: Jessica Mantz

Share

Social Logo Social Logo Social Logo Social Logo

Microsoft Addresses 66 Vulnerabilities in April—24 Are Critical

In Microsoft’s April security updates, the company released patches to address 66 vulnerabilities, 24 of which were rated critical. The vulnerabilities affect a variety of Microsoft products including Internet Explorer, Edge, Windows Visual Studio, ChakraCore, Microsoft Office, Adobe Flash, and its Malware Protection Engine.  

System owners should focus on applying an out-of-band patch that was also released in April’s security updates to address CVE-2018-1038, if they have not done so already. This privilege escalation vulnerability could allow an attacker to access data, install programs, and create new user accounts on Windows 7 and Server 2008 R2 systems.  

Microsoft also disclosed a SharePoint privilege escalation vulnerability (CVE-2018-1034) but has not released a patch for it yet.

For more information, please visit: 

Critical Vulnerability Found in Cisco Switches Affecting 8.5 Million Devices

Cisco addressed a critical vulnerability which could allow an unauthenticated, remote attacker to gain control of an affected device or trigger a reload and crash of the system. The vulnerability (CVE-2018-0171) was found in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software. 

The vulnerability can be exploited by sending a crafted Smart Install message to a vulnerable device on TCP port 4786. Researchers have stated that approximately 8.5 million Internet-accessible devices were detected with the port open. Proof-of-Concept exploit code is beginning to be utilized by attackers to leverage the flaw. Cisco recommends applying the latest security updates to any affected device as soon as possible.

More information can be found at:

Drupal Addresses Highly Critical Unauthenticated Remote Code Execution Flaw

Drupal recently alerted users to a critical remote code execution vulnerability affecting versions 6, 7, and 8 of its content management system (CMS) platform. The vulnerability, CVE-2018-7600, is classified as an input validation issue that could allow an attacker to exploit multiple attack vectors on an affected Drupal site which could result in a complete compromise of the site. Drupal developers estimate over one million sites running Drupal are affected by this vulnerability. However, at this time there are no reports of the vulnerability actively being exploited. Drupal urges users to upgrade to the most recent version of Drupal 7 or 8 core immediately.

Learn more by visiting: 

Vulnerability Information Updates: April 2018

Related People

  • Jessica Mantz