June Patch Tuesday: Flash, Microsoft & Spectre

574

Please see below commentary in response to this month’s Patch Tuesday from Chris Goettl, Director of Product Management, Security at Ivanti.

Advice from Chris relates to June’s Flash update, Microsoft OS and IE updates, and news on Meltdown and Spectre mitigation.

Chris Goettl, Director of Product Management, Security at Ivanti:

Most of the excitement may already have passed with Adobe’s Flash Player release on June 7th. The discovery of a Zero Day vulnerability (CVE-2018-5002) being exploited in the wild resulted in a Flash Player update (APSB18-19) which included the fix for the exploited vulnerability and three others.

Microsoft has released 12 updates resolving 49 unique vulnerabilities. The update affects the Windows OS, Office, SharePoint, Internet Explorer and Edge browsers. There is one publicly disclosed vulnerability this month. CVE-2018-8267 is a vulnerability in Microsoft’s Scripting Engine which affects all supported versions of Internet Explorer. This vulnerability could allow the attacker to execute arbitrary code in the context of the current user. Running as less than a full administrator would mitigate the impact if this vulnerability were to be exploited. This is also a user targeted vulnerability meaning an attacker need only convince the user to visit a specially crafted website designed to exploit the vulnerability. An attack would also be embedded into an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine. Compromised websites that accept user-provided content such as advertisements could also be an attack vector.

Microsoft’s update for SharePoint Server comes with some additional guidance. Microsoft recommends running the SharePoint Configuration Wizard after applying a SharePoint update. This process would update database schema, security settings, copy additional files from the install location into _app_bin for web applications, and updates feature registrations within SharePoint.

Microsoft has also updated the Meltdown and Spectre mitigation to mitigate against Spectre Variant 4 (CVE-2018-3639) vulnerabilities. This was the series of 8 additional Spectre vulnerabilities discovered a few weeks ago that allow for Speculative Store Bypass. Similar to the last round of Meltdown and Spectre fixes the guidance from Microsoft is to apply the OS updates, apply latest microcode\firmware updates, then turn on mitigation for Variant 4. They do warn about the possibility of performance impact once again.

Ivanti Guidance This Month:

  • Get the Flash Update pushed out ASAP if you have not already done so.
  • Microsoft OS and IE updates are the most critical this month.
  • Check for the latest round of firmware updates from your hardware vendor.
  • Test for performance impacts and turn on Mitigation for Spectre Variant 4.