On Tuesday, Microsoft issued patches for two vulnerabilities presently being leveraged by hackers. It allows attackers to run arbitrary code in kernel mode, meaning they could fully compromise any vulnerable system, install malware and steal all data. Of the rest of the flaws, 42 are rated as important while four are of low severity.
Along with Office documents, Microsoft said the vulnerability, CVE-2018-8174, could be exploited in any application that uses the Internet Explorer engine by embedding an ActiveX control marked "safe for initialization" in the app. Chris Goettl, director of product management at Ivanti, warned that websites accepting or hosting user-generated content or ads could also be used to exploit the vulnerability.
Part of Microsoft's May Patch Tuesday CVE roundup also includes two official "public disclosures". A vulnerability in the VBScript engine allowed for a zero-day exploit to infect machines by opening specially crafted scripts that can corrupt memory leading to the opportunity for arbitrary code execution.
Researchers claim that a novel vulnerability discovered in VBScript, which can be exploited in Microsoft Office documents, as well as Internet Explorer and similar browsers, is likely to be very widely leveraged by attackers in the future. This allows for a standard user account to obtain full system access, although it should be noted that a user must be logged in already to perform the exploit. "CVE-2018-8120 is an elevation of privilege vulnerability affecting Windows 7, Server 2008, and Server 2008 R2", said Wiseman.More news: Devin Nunes Doubles Down On Threat To Hold Sessions In Contempt
Also, Microsoft has fixed a spoofing vulnerability in its Azure IoT Device Provisioning AMQP Transport library.
Microsoft has also released a fix for a bypass vulnerability in a Windows security feature called Device Guard that notably affects devices in Windows 10 S locked-down mode. Similarly, the issue was patched in Linux in March, as well as in Mac OS in Security Update 2018-001.
As regular readers will be well aware, the Windows 10 April 2018 Update arrived just in the nick of time, a few hours before May arrived.
First, however, some organizations may need to update their version of Windows to ensure they're still getting the latest cumulative and security updates.