July 2018 Patch Tuesday Briefing
As a service to our customers, we’ll be posting a monthly bulletin when Patch Tuesday (second Tuesday of every month) rolls around going forward. Below, you’ll find information about the new updates released from Microsoft and Adobe this month, and any additional information that may be helpful in prioritization of these newly released vulnerabilities.
If Kenna is aware of any exploits or exploitation events for newly released CVEs, this information will be mentioned in this post below. At time of writing, no exploits or exploitation events have been spotted in the wild for any CVEs released today. As always, upon receiving new intelligence against a given CVE or vulnerability, Kenna Risk Meter scores will be automatically adjusted upward for the specific CVE or software. To learn more about how Kenna scores assets and vulnerabilities, see our Scoring documents.
This month’s Microsoft release covered 53 new vulnerabilities, 17 of which are rated critical, 34 are rated important, one is rated moderate, and final one at low severity in the following 15 products:
- Adobe Flash Player
- Internet Explorer
- Microsoft Edge
- Microsoft Office and Microsoft Office Services and Web Apps
- Microsoft Windows
- Microsoft Wireless Display Adapter V2 Software
- .NET Framework
- PowerShell Editor Services
- PowerShell Extension for Visual Studio Code
- Skype for Business and Microsoft Lync
- Visual Studio
- Web Customizations for Active Directory Federation Services
In addition, the ongoing guidance for Speculative Store Bypass and Speculative Execution side-channel vulnerabilities were updated, along with updated guidance for 10 CVEs released prior to today.
Adobe released bulletins and patches for a whopping 112 vulnerabilities this cycle, with 53 critical bugs and 51 vulnerabilities rated important in the following products:
- Flash Player (2) – 1 important, 1 critical
- Acrobat and Reader (104) – 53 important, 51 critical
- Experience Manager (3) – 3 important
- Adobe Connect (3) – 2 important, 1 moderate
One follow-on point to the Adobe Experience Manager Bulletin: The SSRF class of application security vulnerability has seen increased activity and interest from researchers and attackers in the last 2 years, and while the vulnerabilities are rated Important by Adobe and no activity has been yet detected – but the fact that it is often easily discoverable suggests that you will want to apply patches immediately.
As always, Kenna scores are dynamic, and subject to significant adjustment based on new intelligence. To check the latest scores, sign up here.