make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

Vulnerability Information Updates: June 2018

06/13/2018  |  By: Jessica Mantz

Share

Social Logo Social Logo Social Logo Social Logo

Microsoft Addresses 50 Vulnerabilities, Including Publicly-Disclosed Remote Code Execution Flaw

This month, Microsoft released security updates to address 50 vulnerabilities affecting the Windows operating system, Internet Explorer, Microsoft Edge, Microsoft Office, and the ChakraCore JavaScript engine. Although no zero-day vulnerabilities were included in this month’s patches, Microsoft released an update to address CVE-2018-8267, a publicly-disclosed remote code execution vulnerability in Microsoft’s scripting engine, affecting Internet Explorer. This vulnerability should be placed at the top of everyone’s Windows patch list this month. Other vulnerabilities to prioritize are CVE-2018-8231 and CVE-2018-8213. Both are critical remote code execution vulnerabilities, affecting Windows 10 and Windows Server 2016. With this month’s patches, Microsoft also included mitigations for Meltdown and Spectre by adjusting the default settings on Windows operating systems.

For more information on this month’s patches, please visit: 

Adobe Patches an Actively-Exploited Critical Zero-Day Flaw in Flash Player

Earlier this month, Adobe released patches to address four vulnerabilities in Flash Player, including one zero-day vulnerability (CVE-2018-5002) in Flash Player versions 29.0.0.171 and older. The flaw is due to a stack-based buffer overflow. Security researchers have reported that the flaw has been actively exploited in the Middle East after observing attackers delivering the exploit in a phishing campaign. Specifically, attackers have been detected sending a Microsoft Office document with a link that downloads a malicious Shockwave Flash file (SFW) if clicked on. Once the malicious file is downloaded, it will execute additional code to create a backdoor on the compromised system and provide the attackers with additional functionality on the victim’s system. It is recommended to update any Adobe Flash Player installations to the newest version as soon as possible.

More information on this can be found at: 

Cisco Releases Updates to Address 28 Vulnerabilities Including Two Critical

Cisco issued 28 security updates to address multiple vulnerabilities across a variety of products, including two critical vulnerabilities in its Prime Collaboration Provisioning (PCP) and IOS XE Software. The first vulnerability (CVE-2018-0321) is due to an open port found in the Network Interface and Configuration Engine (NICE) service of Cisco PCP affecting versions 11.6 and older. Cisco has stated that the vulnerability could allow an unauthenticated remote attacker to access the Java Remote Method Invocation (RIM) system on a vulnerable PCP instance. The second critical vulnerability (CVE-2018-0315) addressed by Cisco is a remote code execution and denial of service flaw in certain versions of Cisco’s IOS XE Software. The vulnerability is found in the software’s authentication process and could allow an attacker to exploit the vulnerability by attempting to authenticate to a vulnerable device. Cisco also addressed 11 high-severity vulnerabilities, but customers should first focus on remediating CVE-2018-0321 and CVE-2018-0315 as soon as possible.

For more information, please visit:

Vulnerability Information Updates: June 2018

Related People

  • Jessica Mantz