Microsoft Patches Two Zero-Days in Windows

Delaware, USA – August 15, 2018 – Yesterday Microsoft released security updates patching 60 vulnerabilities in their products, among which there were two zero-days actively exploiting in the wild. The security flaw in the Internet Explorer scripting engine (CVE-2018-8373) allows attackers to execute code remotely. Attackers can exploit CVE-2018-8373 both when users visit a malicious website or when they open a spam email attachment with an application that has an embedded IE rendering engine. The second patched remote code execution vulnerability (CVE-2018-8414) is in the Windows Shell, and it related to the abuse of the SettingContent-ms files. Last month, Microsoft banned embedding these files into Outlook and Office 365 documents, and yesterday’s patch prevents their abuse in Windows 10. Microsoft said they recorded attacks using this zero-days before yesterday’s updates. 23 flaws in IE, Edge, and Chakra Scripting account, including 13 critical RCE vulnerabilities, were patched as well. A total of 19 critical security flaws and 39 important vulnerabilities in Microsoft products now have patches issued.

Adobe also released a pack of security updates closing 5 important flaws in Adobe Flash Player, 2 critical vulnerabilities in Adobe Flash Player and Reader and several flaws in Experience Manager and Creative Cloud Desktop Application. It is necessary to install updates to all Windows systems as soon as possible. To monitor the Vulnerability Management Process, you can use CyberView that provides information about new vulnerabilities discovered and patches installed.