Microsoft releases 17 critical bug fixes

walden, system, systems, walden systems, accordion, backup, back up,back, up, ransom, ware, ransomware, data, recovery, critical, protection, remote, virtual, cloud, computing, desktop, ciel, cielview, view, vm, machine, vdi, infrastructure, server, paas, saas, platform, service, software, serverless, thin, client, workspace, private, public, iaas, cloud, terminal, ssh, developer, java, objective, c, c++, c#, plus, sharp, php, Excel, sql, windows, os, operating, system, o.s., powershell, power, shell, javascript, js, python, py, networks, faq, perl, pl, programming, script, scripting, program, programer, code, coding, example, devel, stored, procedure, sp, macro, switch, hub, router, ios, net, .net, interpreter socket, nas, network storage, virus, security



     Microsoft patches 17 critical bugs and 34 other bugs as part of its monthly security bulletin. In all, Microsoft patched 17 bugs rated critical, with ten tied to scripting engine flaws affecting Internet Explorer. Microsoft is reporting 53 bugs: 17 critical, 34 rated important, one moderate and one low. Browser vulnerabilities are a main part of Microsoft's July Patch Tuesday security bulletin. The most severe browser bugs reported are four Chakra scripting engine memory corruption vulnerabilities ( CVE-2018-8280, CVE-2018-8286, CVE-2018-8290, CVE-2018-8294 ). Each are remote code execution vulnerabilities tied to the JScript engine ( Chakra ), developed by Microsoft for its 32-bit version of the Internet Explorer.

     Sixteen CVEs covering browsers are prioritized for workstations where users acess the public internet through a browser or by checking email. This includes multi-user servers that are used as remote desktops for users. Five bugs are related to Microsoft Edge. One is a spoofing vulnerability ( CVE-2018-8278 ) that exists when Microsoft Edge improperly handles specific HTML content, which tricks users into thinking that they were visiting a legitimate website. The maliciously crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.




     Another bug ( CVE-2018-8304 ), is a Windows DNSAPI denial of service vulnerability. DNSAPI is a dynamic link library file in Windows. It contains functions used by system's domain name system ( DNS ) in a client's application program interface. While not a severe as last month's wormable CVE-2018-8225, this bug could allow remote hackers to shut down a DNS server through a malformed DNS response. It's not code exececution but it's not good good when a hacker can remotely shut down a part of your critical infrastructure.

     Microsoft's Office was also patched to prevent emails from containing untrusted TrueType fonts that could be used to compromise a targeted system. The Office vulnerability ( CVE-2018-8310 ) exists when Microsoft Outlook does not properly handle certain attachment types when rendering HTML emails. A hacker can exploit the vulnerability by sending a specially crafted email and attachment to a victim, or by hosting a malicious .eml file on a web server. EML files are a file format developed by Microsoft to archive emails while at the same time preserving the original HTML formatting and header.



     Other Office bugs include those affecting SharePoint and Skype for Business. Microsoft also patched a MSR JavaScript cryptography library security feature bypass vulnerability. The bug allows a hacker to generate signatures that fake the entity associated with a public / private key pair. While this doesn't seem to circumvent authentic public / private key pairs, it can be used by malware developers to make their attacks look real.