Microsoft and Adobe updates for April patch critical security vulnerabilities
Updates rolled out on April Patch Tuesday are already available. Microsoft released a bundle of security updates addressing critical security vulnerability CVE-2018-0986 affecting Microsoft Malware Protection Engine (MMPE), as well as issues in Internet Explorer (IE), Edge, ChakraCore, Visual Studio, Microsoft Office, Office Services and Web Apps. Preparing for the Redstone 4, the company patched over 67 security vulnerabilities, 24 of which were rated critical.
Adobe joined the April security patch release and rolled out updates for five products covering 19 security issue, two of which were considered crucial. The vital patch awaited for experts addressed Adobe Flash, which featured three CVEs,k including CVE-2018-0986 allowing remote code execution.
CVE-2018-0986 vulnerability would allow attacker to install software
Microsoft's effort to maximize the security of its OS hasn't been unnoticed. Whitehats clap since there were no Zero Day exploits registered this month. Despite a significant improvement in security sphere, the Redmond giant keeps releasing the updates. This month’s Microsoft updates impact many essential Windows components, such as Internet Explorer, MS Edge, Office, Visual Studio, ChakraCore, Malware Protection Engine, Microsoft Visual Studio and others.
The critical remote code execution flaw affecting Windows Defender and other security products, known as CVE-2018-0986, is the vulnerability standing out from the crowd. It has been discovered and published in early February. Security experts issued multiple warnings at the time because the CVE-2018-0986 vulnerability was extremely easy to exploit as it impacts scanning, detection and cleaning capabilities of numerous Windows security programs, including Windows Defender, Microsoft Endpoint Protection, Microsoft Security Essentials, etc.
After successful exploit of CVE-2018-0986 flaw, a hacker would get a change to inject software like rootkits, spyware, etc. onto the system and take control over user's PC:
An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
The documents building an app called ThreadKit was caught infecting vulnerable computers with malware. Such programs allow low-skilled cybercriminals exploit vulnerabilities by injecting malicious code into Office files via Flash security hole.
Do not wait too long before installing updates
Indeed, these flaws are critical. Nevertheless, Microsoft says that it's best to install Pact Tuesday updates, especially security vulnerability patches, a couple of days after their release. As the company explains:
Quite often, problems with patches that may cause systems to end up in an endless reboot loop are reported and resolved with subsequent updates within a few days after their release.
Thus, within the first two days the company will be notified about all problems, including stuck at boot loop, that the patch tends to trigger, allowing to fix them asap and supply the rest of the Windows users with a issue-free patch update.
By default, Windows 10 is updated automatically; therefore, users who do not want to install the patch instantly should switch off automatic updates (not recommended). Microsoft urges users to turn on automatic updates as it guards them against fake updates and keeps the machine secure from vulnerabilities.
Regardless if you decide to install updates instantly or not, we do not recommend waiting for too long, as your PC might be in danger of malware infections. All you have to do is to navigate to Settings -> Update & Security and press Check for Updates button.
Flash player will not stay on the market for too long
Adobe patched at least two critical vulnerabilities and three important vulnerabilities in the Flash Player. The computer software giant announced that no major exploits were connected to the flaw.
Adobe Flash can be installed as a plug-in in the most dominant browsers. Google Chrome introduces it bundled. Despite that, Chrome does not automatically enable its functionality unless user’s permission is granted.
Nevertheless, the issues with Adobe Flash Player are well known among IT specialists.
The major problem with this plug-in is that it creates multiple security liabilities. Eventually, Adobe is planning to get rid of it entirely by 2020.
The latest standalone version of Flash Player fixes these issues in the latest version (18.104.22.168) for Windows, Mac, Linux and Chrome OS. Nevertheless, most of the modern sites still require Adobe Flash. Hence, users should better switch it off completely.