“April showers bring May flowers”—but did you know May flowers bring June bugs? A less known line from that poem for sure, but quite apt for a Patch Tuesday synopsis where software updates are the name of the game. This June there’s more grist for the mill, though there are fewer patches than we’ve seen of late. Take note of the fix for a new zero day targeting a Flash bug. And use this relative downtime to make sure your patch processes are in good working order. Remember: Meltdown and Spectre are back with all new bugs to banish from your IT environment.
6. In the News
Zero Day Flash Flaw
https://threatpost.com/zero-day-flash-exploit-targeting-middle-east/132659/
7. Known Exploited Vulnerabilities
CVE-2018-5002 - Stack Based Buffer Overflow Vulnerability
A remote code execution vulnerability exists in the way that Adobe Flash Player
handles objects in memory. The vulnerability could corrupt memory in such a way
that an attacker could execute arbitrary code in the context of the current user.
An attacker who successfully exploited the vulnerability could gain the same user
rights as the current user. If the current user is logged on with administrative user
rights, an attacker who successfully exploited the vulnerability could take control
of an affected system.
This vulnerability requires the system user to open a document containing a
weaponized Flash Player object. The buffer overflow is exploited as the flash
object opens and additional shell code is downloaded to the system for deeper
exploitation.
8. Publicly Disclosed Vulnerabilities
CVE-2018-8267 - Scripting Engine Memory Corruption Vulnerability
A remote code execution vulnerability exists in the way that the scripting engine
handles objects in memory in Internet Explorer. The vulnerability could corrupt
memory in such a way that an attacker could execute arbitrary code in the
context of the current user. An attacker who successfully exploited the
vulnerability could gain the same user rights as the current user. If the current
user is logged on with administrative user rights, an attacker who successfully
exploited the vulnerability could take control of an affected system.
In a web-based attack scenario, an attacker could host a specially crafted
website that is designed to exploit the vulnerability through Internet Explorer and
then convince a user to view the website. An attacker could also embed an
ActiveX control marked "safe for initialization" in an application or Microsoft Office
document that hosts the IE rendering engine. The attacker could also take
advantage of compromised websites and websites that accept or host user-
provided content or advertisements. These websites could contain specially
crafted content that could exploit the vulnerability.
9. Spectre and Meltdown Update
New Generation of Spectre Vulnerabilities Found in Intel CPUs
https://www.ghacks.net/2018/05/03/spectre-next-generation-vulnerabilities/
Security status after applying June updates
Microsoft June 2018 Release Notes
10. Windows 10 Lifecycle Awareness
Windows 10 Branch Support: End of Service for 2018
Branch 1703 scheduled for October 9 (extended from September 2018)
Windows 10 Version 1607, 1703, and 1709 will continue to receive security-
only updates for 6 months past EOS dates
Supported Editions
Windows 10 Education
Windows 10 Enterprise
Unsupported Editions
Windows 10 Home
Windows 10 Pro
Windows 10 Version 1607 is in extended support now until October 9
Everyone strongly urged to update to latest version of Windows 10
Windows lifecycle fact sheet
11. Microsoft Notable May Out-of-Band Releases
MSNS18-05-4090007_V3 (Q4090007): Intel microcode updates for Windows 10
Version 1709 and Windows Server 2016 (1709): KB 4090007
MSNS18-05-4091663_V3 (Q4091663): Intel microcode updates for Windows 10
Version 1703: KB 4091663
MSNS18-05-4091664_V3 (Q4091664): Intel microcode updates for Windows 10
Version 1607 and Windows Server 2016: KB 4091663
MSNS18-05-4091666_V2 (Q4091666): Intel microcode updates for Windows 10
Version 1507: KB 4091666
MSNS18-05-4100347 (Q4100347): Intel microcode updates for Windows 10 Version
1803: KB 4100347
12. Other Microsoft Information
Service Stack Update KB 4132216 required for Windows 10 Version 1607
before installing June 2018 cumulative update
XP Embedded Patches Released this Patch Tuesday
MS18-06-XPE-4230467
MS18-06-XPE-4293928
MS18-06-XPE-4294413
Microsoft Security Advisory 4338110
https://docs.microsoft.com/en-us/security-
updates/securityadvisories/2018/4338110
Microsoft guidance for CBC Symmetric Encryption Security Feature
Bypass
14. MS18-06-AFP: Security Update for Adobe Flash Player
Maximum Severity: Critical
Affected Products: Adobe Flash Player
Description: This security update resolves vulnerabilities in Adobe Flash Player that is
installed on any supported edition of Windows Server Version 1803, Windows 10
Version 1803, Windows Server 2016 Version 1709, Windows 10 Version 1709,
Windows 10 Version 1703, Windows Server 2016, Windows 10 Version 1607, Windows
10 (RTM), Windows Server 2012 R2, Windows 8.1, or Windows RT 8.1. This bulletin is
based on KB 4287903 and ADV180014.
Impact: Remote Code Execution
Fixes 4 Vulnerabilities: CVE-2018-4945, CVE-2018-5000, CVE-2018-5001, CVE-
2018-5002
Restart Required: Requires application restart
NOTE: Released June 7 with known Zero Day vulnerability
15. APSB18-19: Security Update for Adobe Flash Player
Maximum Severity: Critical
Affected Products: Adobe Flash Player
Description: Adobe has released security updates for Adobe Flash Player for
Windows, macOS, Linux and Chrome OS. These updates address critical
vulnerabilities in Adobe Flash Player 29.0.0.171 and earlier versions. Successful
exploitation could lead to arbitrary code execution in the context of the current user.
Impact: Remote Code Execution
Fixes 4 Vulnerabilities: CVE-2018-4945, CVE-2018-5000, CVE-2018-5001, CVE-
2018-5002
Restart Required: Requires application restart
NOTE: Released June 7 with known Zero Day vulnerability
16. MS18-06-W10: Windows 10 Update
Maximum Severity: Critical
Affected Products: Microsoft Windows 10 Versions 1607, 1703, 1709, 1803, Server
2016, Server 1709, Server 1803, IE 11 and Microsoft Edge
Description: This bulletin references 5 KB articles. See KBs for the list of changes.
Impact: Remote Code Execution, Security Feature Bypass, Denial of Service,
Elevation of Privilege, and Information Disclosure
Fixes 41 Vulnerabilities: CVE-2018-8267 is publicly disclosed. See Details column
of Security Update Guide for complete list of CVEs.
Restart Required: Requires restart
Known Issues: See next two slides
17. June’s Known Issues for Windows 10
KB 4284880 - Windows 10 Version 1607, Windows Server 2016
Reliability issues have been observed during the creation of shielded VMs and the required
artifacts for their deployment. There are also reliability issues for the Shielding File Wizard with
or without the SCVMM interface. Note: Existing shielded VMs and HGSs are not affected.
Workaround - None. Microsoft is working on a resolution.
KB 4284819 - Windows 10 version 1709
Some non-English platforms may display the following string in English instead of the localized
language: ”Reading scheduled jobs from file is not supported in this language mode.” This error
appears when you try to read the scheduled jobs you've created and Device Guard is enabled.
When Device Guard is enabled, some non-English platforms may display the following strings in
English instead of the localized language:
"Cannot use '&' or '.' operators to invoke a module scope command across language boundaries."
"'Script' resource from 'PSDesiredStateConfiguration' module is not supported when Device Guard is
enabled. Please use 'Script' resource published by PSDscResources module from PowerShell Gallery."
Workaround – None. Microsoft is working on a resolution.
18. June’s Known Issues for Windows 10 (cont)
KB 4284819 - Windows 10 version 1803
Some users running Windows 10 version 1803 may receive an error "An invalid argument was
supplied" when accessing files or running programs from a shared folder using the SMBv1
protocol.
Workaround – Enable SMBv2 or SMBv3 on both the SMB server and the SMB client, as
described in KB2696547. Microsoft is working on a resolution that will be available later in June.
19. MS18-06-IE: Security Updates for Internet Explorer
Maximum Severity: Critical
Affected Products: Microsoft Internet Explorer 9, 10 and 11
Description: These security updates resolve several reported vulnerabilities in Internet
Explorer. The fixes that are included in this Security Update for Internet Explorer (KB
4230450) are also included in the June 2018 Security Monthly Quality Rollup. Installing
either the Security Update for Internet Explorer or the Security Monthly Quality Rollup
installs the fixes that are in this update. This bulletin references 9 KB articles.
Impact: Remote Code Execution and Security Bypass
Fixes 4 vulnerabilities: CVE-2018-0978, CVE-2018-8113, CVE-2018-8249, CVE-
2018-8267
Restart Required: Requires browser restart
Known Issues: None reported
20. MS18-06-2K8: Windows Server 2008
Maximum Severity: Critical
Affected Products: Microsoft Windows Server 2008
Description: Security updates to fix vulnerabilities associated with the HIDParser,
Windows Code Integrity Module, Windows DNSAPI, NTFS and the Windows kernel
module. This bulletin references 3 KB articles.
Impact: Remote Code Execution, Denial of Service, Elevation of Privilege and
Information Disclosure
Fixes 6 Vulnerabilities: CVE-2018-1036, CVE-2018-1040, CVE-2018-8169, CVE-
2018-8207, CVE-2018-8224, CVE-2018-8225
Restart Required: Requires restart
Known Issues: None reported
21. MS18-06-MR7: Monthly Rollup for Win 7 and Server 2008 R2
Maximum Severity: Critical
Affected Products: Microsoft Windows 7, Server 2008 R2, and IE
Description: This security update includes improvements and fixes that were a part of
update KB4103713 (released May 17, 2018). It includes security updates for Internet
Explorer, Windows apps, Windows Server, Windows storage and filesystems, Windows
wireless networking, and Windows virtualization and kernel. This bulletin is based on
KB 4284826.
Impact: Remote Code Execution, Denial of Service, Elevation of Privilege, and
Information Disclosure
Fixes 8 (shown) + 4 (IE) Vulnerabilities: CVE-2018-1036, CVE-2018-1040, CVE-
2018-8169, CVE-2018-8205, CVE-2018-8207, CVE-2018-8224, CVE-2018-8225, CVE-
2018-8251
Restart Required: Requires restart
Known Issues: See upcoming slide
22. MS18-06-SO7: Security-only Update for Win 7 and Server 2008 R2
Maximum Severity: Critical
Affected Products: Microsoft Windows 7 and Server 2008 R2
Description: Security updates to Windows apps, Windows Server, Windows storage and
filesystems, Windows wireless networking, and Windows virtualization and kernel. This
bulletin is based on KB 4284867.
Impact: Remote Code Execution, Denial of Service, Elevation of Privilege, and
Information Disclosure
Fixes 8 Vulnerabilities: CVE-2018-1036, CVE-2018-1040, CVE-2018-8169, CVE-2018-
8205, CVE-2018-8207, CVE-2018-8224, CVE-2018-8225, CVE-2018-8251
Restart Required: Requires restart
Known Issues: See next slide
23. June’s Known Issues for Windows 7 and Server 2008 R2
KB 4284826 - Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1
A Stop error occurs on machines that don't support Streaming Single Instructions Multiple Data
(SIMD) Extensions 2 (SSE2).
Workaround – None. Microsoft is working on a resolution.
There is an issue with Windows and third-party software that is related to a missing file
(oem<number>.inf). Because of this issue, after you apply this update, the network interface
controller will stop working.
Workaround –
1.To locate the network device, launch devmgmt.msc; it may appear under Other Devices.
2.To automatically rediscover the NIC and install drivers, select Scan for Hardware Changes
from the Action menu.
a. Alternatively, install the drivers for the network device by right-clicking the device and
selecting Update. Then select Search automatically for updated driver software or Browse
my computer for driver software.
KB 4284867 – Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1
Same issues for this Security Only update as listed above for Monthly Rollup
24. MS18-06-MR8: Monthly Rollup for Server 2012
Maximum Severity: Critical
Affected Products: Microsoft Server 2012 and IE
Description: This security update includes improvements and fixes that were a part of
update KB 4103719 (released May 17, 2018). Security updates to Internet Explorer,
Windows apps, Windows storage and filesystems, Windows Server, and Windows
wireless networking. This bulletin is based on KB 4284855.
Impact: Remote Code Execution, Denial of Service, Elevation of Privilege, and
Information Disclosure
Fixes 8 (shown) + 4 (IE) Vulnerabilities: CVE-2018-1036, CVE-2018-1040, CVE-
2018-8169, CVE-2018-8205, CVE-2018-8207, CVE-2018-8210, CVE-2018-8225, CVE-
2018-8251
Restart Required: Requires restart
Known Issues: None reported
25. MS18-06-SO8: Security-only Update for Server 2012
Maximum Severity: Critical
Affected Products: Microsoft Server 2012
Description: Security updates to Windows apps, Windows storage and filesystems,
Windows Server, and Windows wireless networking. This bulletin is based on KB
4284826.
Impact: Remote Code Execution, Denial of Service, Elevation of Privilege, and
Information Disclosure
Fixes 8 Vulnerabilities: CVE-2018-1036, CVE-2018-1040, CVE-2018-8169, CVE-
2018-8205, CVE-2018-8207, CVE-2018-8210, CVE-2018-8225, CVE-2018-8251
Restart Required: Requires restart
Known Issues: None reported
26. MS18-06-MR81: Monthly Rollup for Win 8.1 and Server 2012 R2
Maximum Severity: Critical
Affected Products: Microsoft Windows 8.1, Server 2012 R2, and IE
Description: This security update includes improvements and fixes that were a part of
update KB4103724 (released May 17, 2018). It includes security updates to Internet
Explorer, Windows apps, remote code execution, Windows Server, Windows storage
and filesystems, and Windows wireless networking. This bulletin is based on KB
4284815.
Impact: Remote Code Execution, Denial of Service, Elevation of Privilege, and
Information Disclosure
Fixes 8 (shown) + 4 (IE) Vulnerabilities: CVE-2018-1036, CVE-2018-1040, CVE-
2018-8169, CVE-2018-8205, CVE-2018-8207, CVE-2018-8210, CVE-2018-8225, CVE-
2018-8251
Restart Required: Requires restart
Known Issues: None reported
27. MS18-06-SO81: Security-only Update for Win 8.1 and Server 2012 R2
Maximum Severity: Critical
Affected Products: Microsoft Windows 8.1, Server 2012 R2
Description: Security updates to Windows apps, remote code execution, Windows
Server, Windows storage and filesystems, and Windows wireless networking. This
bulletin is based on KB 4284878.
Impact: Remote Code Execution, Denial of Service, Elevation of Privilege, and
Information Disclosure
Fixes 8 Vulnerabilities: CVE-2018-1036, CVE-2018-1040, CVE-2018-8169, CVE-
2018-8205, CVE-2018-8207, CVE-2018-8210, CVE-2018-8225, CVE-2018-8251
Restart Required: Requires restart
Known Issues: None reported
28. MS18-06-OFF: Security Updates for Microsoft Office
Maximum Severity: Important
Affected Products: Office 2010-2016, Excel 2010-2016, Outlook 2010-2016, Web
Apps Server, and Project Server
Description: This security update resolves vulnerabilities in most Microsoft Office
applications. This bulletin references 22 KB articles.
Impact: Remote Code Execution, Elevation of Privilege, Information Disclosure and
Defense in Depth
Fixes 6 Vulnerabilities: CVE-2018-8244, CVE-2018-8245, CVE-2018-8246, CVE-
2018-8247, CVE-2018-8248, CVE-2018-8254 and ADV180015
Restart Required: Requires application restart
Known Issues: None reported
29. MS18-06-O365: Security Updates for Microsoft Office 365
Maximum Severity: Important
Affected Products: Office 2016
Description: This security update resolves vulnerabilities in most Microsoft Office 365
applications. Information on Office 365 updates is available at
https://technet.microsoft.com/en-us/office/mt465751
Impact: Remote Code Execution, Elevation of Privilege and Information Disclosure
Fixes 3 Vulnerabilities: CVE-2018-8244, CVE-2018-8246, CVE-2018-8248
Restart Required: Requires application restart
Known Issues: None reported
30. MS18-06-SPT: Security Updates for SharePoint Server
Maximum Severity: Important
Affected Products: Microsoft Enterprise SharePoint Server 2013, 2016
Description: This security update resolves vulnerabilities in Microsoft Office that could
allow remote code execution if a user opens a specially crafted Office file. This update
contains many non-security fixes as well. This bulletin is based on KB 4022190 and
KB 4022173.
Impact: Remote Code Execution, Elevation of Privilege and Information Disclosure
Fixes 2 Vulnerabilities: CVE-2018-8252, CVE-2018-8254
Restart Required: Requires Restart
Known Issues: None reported
NOTE: After installing the updates for SharePoint Foundation 2013 Service Pack 1 or
SharePoint Enterprise Server 2016, you need to run psconfig.exe.
31. Chrome-228: Security Update for Chrome
Maximum Severity: Critical (High by Google)
Affected Products: Google Chrome
Description: The stable channel has been updated to 67.0.3396.87 for Windows,
Mac, and Linux, which will roll out over the coming days/weeks.
Impact: Out of bounds write
Fixes 1 Vulnerability: CVE-2018-6149
Restart Required: Requires restart
32. Non-Security Updates
Maximum Severity: Recommended
Affected Products: Opera, Nitro-Pro, Blue Jeans, Shockwave
Description: Non-Security updates may include critical bug fixes and feature
updates. Depending on what version you are updating from a Non-Security
update could include security fixes from previous updates you have not yet
applied. Ivanti recommends updating 3rd party applications as regularly as
possible to ensure additional security threats are not exposed.
33. Between Patch Tuesday’s
New Product Support: Google Drive File Stream, Zoom Client, Zoom Outlook Plugin
Security Updates: Apple Mobile Device Support (1), Adobe Acrobat(1), Adobe Reader
(1), Adobe Creative Cloud (1), Adobe Flash Player (1), CCleaner (3), Google Chrome (4),
CoreFTP (2), Firefox (2), Firefox ESR (3), GIMP (1), HP System Management Homepage
(1), iCloud (1), iTunes (1), LibreOffice (2). Malwarebytes (1), Microsoft (2), Opera (4),
RealPlayer (1), Slack (1), Splunk Forwarder (1), Shockwave (1), Thunderbird (1), Apache
Tomcat (1), VLC Player (1), VMware Player (1), VMware Workstation (1), WinSCP (1),
Wireshark (1)
Non-Security Updates: AIMP (1), Bandicut (1), Box Sync (1), Dropbox (4), Google
Drive File Stream (1), GOM Player (1), Goodsync (4), GoToMeeting (2), Google Backup
and Sync (2), Blue Jeans (1), KeePass Pro (1), LogMeIn (1), Microsoft (50), Oracle
VirtualBox (1), Plex Media Player (2), Plex Media Server (3), Prezi Desktop (1), Skype (4),
Sublime Text Editor (1), TightVNC (1), Webex Productivity Tools (1), XnView (1), Zoom
Client (3), Zoom Outlook Plugin (1)
38. New Webinars
Second ‘Patch Tuesday Webinar’ recording at a Europe-friendly time
Hosted by Chris Goettl and Todd Schell
July 12 at 1pm BST | 2pm CEST
https://go.ivanti.com/Webinar-July-Patch-Tuesday-071218.html
New bi-monthly series - Windows 10 Insights for the Enterprise
Hosted by Rex McMillan and Adam Smith
Insider preview of upcoming changes at Microsoft, interview industry experts and
customers, migration tips, best practices, Q&A
June 20 at 8am PT | 11am ET
https://go.ivanti.com/Webinar-0620-Windows-10-Enterprise.html