'

Microsoft Patch Tuesday: 60 vulnerabilities resolved including two active exploits

A total of 19 vulnerabilities are deemed critical, including two zero-day flaws being actively used in the wild.

Microsoft's Windows Patch Tuesday resolves a total of 60 vulnerabilities, many of them critical, in addition to two zero-day security flaws which are being actively used in attacks today.

The Redmond giant published a security advisory detailing the latest round of updates on Tuesday.

The update impacts the Windows operating system, Internet Explorer, Microsoft Edge, Microsoft Office services and apps, ChakraCore, the .NET Framework, Microsoft Exchange and SQL Server, as well as Visual Studio.

Security updates were also released for Adobe Flash Player.

The two zero-day exploits of note are CVE-2018-8414 and CVE-2018-8341, both of which have been patched.

CVE-2018-8414 is a remote code execution vulnerability which occurs when the Windows Shell does not properly validate paths. The bug can be exploited through the use of a crafted file, potentially sent through phishing emails.

If exploited, attackers could run arbitrary code in the context of the current user -- a particular problem should the victim be logged in as an administrator -- and could install unwanted programs, deploy malware, view, delete, or change data, or create new accounts.

The second zero-day vulnerability, CVE-2018-8341, is an information disclosure flaw caused by the improper handling of objects in memory by the Windows kernel.

In order to trigger the vulnerability, a threat actor would need to be able to login to a vulnerable system and run a crafted application.

"The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system," Microsoft says.

Microsoft also resolved a buffer flow engine vulnerability, CVE-2018-8273, in MySQL Server 2016 and 2017. If exploited, attackers are able to remotely execute code in the context of the SQL Server Database Engine service account.

Three important information disclosure vulnerabilities -- CVE-2018-8398, CVE-2018-8396, and CVE-2018-8394 -- which impact the Windows operating system and Windows Server have been resolved.

A slew of additional information disclosure bugs affecting Microsoft Excel, Office, Edge, the .NET framework, and Microsoft Browser have been patched.

Memory corruption issues affecting Microsoft Edge, Internet Explorer, ChakraCore, and Microsoft Exchange have also been resolved, among other vulnerabilities.

TechRepublic: Microsoft 365: A cheat sheet

Microsoft also issued guidance on new L1 Terminal Fault (L1TF) speculative execution vulnerabilities, variants of Spectre and Meltdown, in Intel processors. The company has released a technical analysis and options for mitigation.

These vulnerabilities, CVE-2018-3615, CVE-2018-3620 and CVE-2018-3646, were disclosed on Tuesday by Intel. The new attack vector has been called Foreshadow.

See also: Microsoft reveals more details of Windows Core OS

In July, Microsoft resolved a total of 53 vulnerabilities, 17 of which were deemed critical. In the same month, security patch expert Susan Bradley posted an open letter to Microsoft, requesting that the company gets its act together.

The problem is that the quality of recent Windows patches has not necessarily been up to par. There has been an uptick in shoddy patches that may break systems or cause compatibility issues with other software.

CNET: Which Microsoft Surface should I buy?

"The quality of updates released in the month of July, in particular, has placed customers in a quandary: install updates and face issues with applications, or don't install updates and leave machines subject to attack," Bradley said.

Previous and related coverage