Microsoft and Adobe security updates patch several vulnerabilities

by Jake Doevan - - 2018-04-12

Microsoft and Adobe updates for April patch critical security vulnerabilities

Adobe and Microsoft patch vulnerabilities

Updates rolled out on April Patch Tuesday^[1] are already available. Microsoft released a bundle of security updates addressing critical security vulnerability CVE-2018-0986 affecting Microsoft Malware Protection Engine (MMPE), as well as issues in Internet Explorer (IE), Edge, ChakraCore, Visual Studio, Microsoft Office, Office Services and Web Apps. Preparing for the Redstone 4, the company patched over 67 security vulnerabilities, 24 of which were rated critical.

Adobe joined the April security patch release and rolled out updates for five products covering 19 security issue, two of which were considered crucial. The vital patch awaited for experts addressed Adobe Flash, which featured three CVEs,k including CVE-2018-0986 allowing remote code execution.

CVE-2018-0986 vulnerability would allow attacker to install software

Microsoft's effort to maximize the security of its OS hasn't been unnoticed. Whitehats clap since there were no Zero Day exploits registered this month. Despite a significant improvement in security sphere, the Redmond giant keeps releasing the updates. This month’s Microsoft updates impact many essential Windows components, such as Internet Explorer, MS Edge, Office, Visual Studio, ChakraCore, Malware Protection Engine, Microsoft Visual Studio and others.

The critical remote code execution flaw affecting Windows Defender and other security products, known as CVE-2018-0986, is the vulnerability standing out from the crowd. It has been discovered and published in early February. Security experts issued multiple warnings at the time because the CVE-2018-0986^[2] vulnerability was extremely easy to exploit as it impacts scanning, detection and cleaning capabilities of numerous Windows security programs, including Windows Defender, Microsoft Endpoint Protection, Microsoft Security Essentials, etc.

After successful exploit of CVE-2018-0986 flaw, a hacker would get a change to inject software like rootkits, spyware, etc. onto the system and take control over user's PC:

An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The documents building an app called ThreadKit^[3] was caught infecting vulnerable computers with malware. Such programs allow low-skilled cybercriminals exploit vulnerabilities by injecting malicious code into Office files via Flash security hole.

Do not wait too long before installing updates

Indeed, these flaws are critical. Nevertheless, Microsoft says that it's best to install Pact Tuesday updates, especially security vulnerability patches, a couple of days after their release. As the company explains:^[4]

Quite often, problems with patches that may cause systems to end up in an endless reboot loop are reported and resolved with subsequent updates within a few days after their release.

Thus, within the first two days the company will be notified about all problems, including stuck at boot loop,^[5] that the patch tends to trigger, allowing to fix them asap and supply the rest of the Windows users with a issue-free patch update.

By default, Windows 10 is updated automatically; therefore, users who do not want to install the patch instantly should switch off automatic updates (not recommended). Microsoft urges users to turn on automatic updates as it guards them against fake updates and keeps the machine secure from vulnerabilities.

Regardless if you decide to install updates instantly or not, we do not recommend waiting for too long, as your PC might be in danger of malware infections. All you have to do is to navigate to Settings -> Update & Security and press Check for Updates button.

Flash player will not stay on the market for too long

Adobe patched at least two critical vulnerabilities and three important vulnerabilities in the Flash Player. The computer software giant announced that no major exploits were connected to the flaw.

Adobe Flash can be installed as a plug-in in the most dominant browsers. Google Chrome introduces it bundled. Despite that, Chrome does not automatically enable its functionality unless user’s permission is granted.

Nevertheless, the issues with Adobe Flash Player are well known among IT specialists.
The major problem with this plug-in is that it creates multiple security liabilities. Eventually, Adobe is planning to get rid of it entirely by 2020.

The latest standalone version of Flash Player^[6] fixes these issues in the latest version (29.0.0.140) for Windows, Mac, Linux and Chrome OS. Nevertheless, most of the modern sites still require Adobe Flash. Hence, users should better switch it off completely.

About the author

Jake Doevan - Computer technology expert

Jake Doevan is one of News Editors for 2-spyware.com. He graduated from the Washington and Jefferson College , Communication and Journalism studies.

Contact Jake Doevan
About the company Esolutions

References

^ Patch Tuesday. Wikipedia. The free encyclopedia.
^ CVE-2018-0986 | Microsoft Malware Protection Engine Remote Code Execution Vulnerability. Windows. Security Tech Center.
^ Axel F, Matthew Mesa. Unraveling ThreadKit: New document exploit builder used to distribute The Trick, Formbook, Loki Bot and other malware. ProofPoint. Security solutions.
^ Adobe, Microsoft Push Critical Security Fixes. KlebsonSecurity. In-depth security news and investigations.
^ Windows update stuck in continuous loop . Microsoft. Community Forums.
^ Adobe Security Bulletin. Adobe. Official website.