Microsoft’s June 2018 Patch Tuesday cumulative rollout for Windows 10 contains a mitigation for the fourth Spectre variant known as Speculative Store Bypass.
Microsoft’s June 2018 Patch Tuesday cumulative rollout for Windows 10 contains a mitigation for the fourth Spectre variant known as Speculative Store Bypass (CVE-2018-3639).
Other patches fix issues ranging from display brightness controls to adding support for the SameSite cookie web standard to Microsoft Edge and Internet Explorer.
Microsoft Windows support said the fixes in the update for CVE-2018-3639/Spectre are not enabled by default but must be enacted. “Windows client (IT pro) guidance, follow the instructions in KB4073119. For Windows Server guidance, follow the instructions in KB4072698,” Microsoft support said.
Included in Microsoft’s update were those issued from Adobe last week when that company issued patches for four vulnerabilities in Flash Player, including a zero-day flaw that attackers have been exploiting in the wild in targeted attacks against Windows users in the Middle East, possibly in Qatar. The actively exploited issue, CVE-2018-5002, is an arbitrary code execution bug caused by a stack-based buffer overflow in Flash Player versions 18.104.22.168 and earlier.
Other vulnerabilities that could lead to remote code execution that were patched were CVE-2018-8248, CVE-2018-8213, CVE-2018-8231 and CVE-2018-8225. The last item was of interest to Dustin Childs, of the Zero Day Initiative, who called it the most important update this cycle.
“This bug clearly wins for most critical this month. This vulnerability could allow an attacker to execute code at the local system level if they can get a crafted response to target the server,” he said in a blog.
Another highlighted issue that was fixed is the Windows denial of service vulnerability CVE-2018-8205. Microsoft said Windows improperly handles objects in memory which if exploited by an attacker could cause a target system to stop responding. To accomplish this the attacker would log on to the system and run a specially crafted application.
There were also 14 elevation of privilege issues patched, and seven Device Guard code integrity policy security feature bypass vulnerabilities which could let an attacker inject malicious code into a Windows PowerShell session.
This article originally appeared at scmagazineuk.com