March Patch Tuesday 2018
Microsoft has released 14 updates this month including updates for all supported Windows Operating Systems, versions of IE, Office, SharePoint, and Exchange server.
There are also ASP.NET Core, Chakra Core, and PowerShell Core updates. These do not have a patch package to update, but new binaries available that need to be integrated into your DevOps process this month to include in your next push to production.
Microsoft has resolved 78 unique vulnerabilities this month, two of which have been publicly disclosed. A public disclosure means enough information was released publicly for an attacker to get a jump-start or potentially to have access to concept code, making an exploit more likely.
The disclosures this month affect Microsoft Exchange Server (CVE-2018-0940) 2010 through 2016 editions and ASP.NET Core 2.0 (CVE-2018-0808). Both disclosed vulnerabilities are rated as Important, so they are not as severe, but the risk of exploit is higher due to the disclosure.
The Windows Kernel received a lot of attention this month, likely due to the ongoing attention on Meltdown and Spectre vulnerabilities. I stopped counting the CVEs after a dozen. The good news is I did not see anything higher than an Important rating, but those are a lot of changes in the Kernel. Test the OS updates well this month.
Speaking of Meltdown and Spectre…
MELTDOWN AND SPECTRE UPDATE
Microsoft has released additional update support for the Meltdown vulnerabilities (ADV180002). Server 2008 and 2012 and Windows 7 x86 Monthly Rollup and Security Only bundle now include the mitigation features. This means that these systems now require the AV registry keys as a dependency to be able to apply the March updates. For Server 2008 and 2012, applying the updates this month put the mitigation features in place, but registry changes need to be made to enable the mitigation features, as they are not active by default.
The AV registry key is still required for all Microsoft OS and IE updates this month.
Researchers have reported finding 13 vulnerabilities in AMD processors. They break these vulnerabilities into four families or categories. One of these categories of vulnerabilities, Ryzenfall, is particularly nasty in that it would allow an attacker to take over the secure processor. Such a takeover would provide an attacker with access to protected data like encryption keys and passwords. Be prepared for yet more driver updates to come from AMD to mitigate these vulnerabilities.
Don’t forget about the third party apps!
For third party updates this month there is a Critical update from Adobe for Flash Player that needs attention. Two Critical CVEs were resolved. Google Chrome released last week, but Mozilla Firefox and Firefox ESR have released updates, both rated as Critical, resolving 21 unique CVEs. Make sure Flash Player and the Chrome and Firefox browsers are on your update list this month.