Microsoft’s Patch Tuesday cleared 67 vulnerabilities, including two Zero Days, in Windows, Office, Internet Explorer and Edge.
Of all the vulnerabilities, there were two Zero Day holes which Microsoft said IT administrators should prioritize.
Microsoft Clears Host Compute Service Library Hole
Microsoft’s Solution to Secure Critical Infrastructure
Hole Open in Secure Windows 10 Version
More Microsoft Microcode Spectre Patches
Out of the other patched flaws, 21 have been assigned a critical severity rating, while 32 of them allow for Remote Code Execution.
In terms of the Zero Days, CVE-2018-8174 describes an issue in the way the scripting engine handles memory objects, and Internet Explorer as well as apps that integrate its engine are vulnerable to attacks. Exploiting this bug could grant the attacker full control of the system.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website,” Microsoft said in a post. The software giant did say attacks have already been detected.
“An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”
A second Zero Day, CVE-2018-8120, was fixed this month. The vulnerability exists in Windows 7 SP1 and Windows Server 2008 SP1 and SP2.
Microsoft said it has already discovered several exploits. A successful attack provides a hacker with rights to run arbitrary code in kernel mode and Microsoft explains the exploit involves malicious actors first logging on to the system.
Overall, browsers are getting 18 patches this month, and Windows 10 devices are vulnerable as well. Users can patch their systems by installing the most recent cumulative updates.