It's a run-of-the-mill month as far as Patch Tuesdays go. Even so, 50 individual CVEs have been fixed by Microsoft, most of which (34) are rated "Important". As usual, most of the 14 considered "Critical" are web browser vulnerabilities that could lead to remote code execution (RCE). The most concerning non-browser issue is CVE-2018-0825, an RCE in the StructuredQuery component (used in searches) that could be triggered simply by loading a malicious file in Outlook's preview pane. The preview pane is also a potential vector for CVE-2018-0852, an Outlook-specific RCE bug that was also patched today. The impact of RCE vulnerabilities is limited by whatever rights the current user has. However, they could potentially be chained with one of the 15 elevation of privilege vulnerabilities that were also patched this month.

This month seems especially underwhelming compared to the excitement of the out-of-band mitigations for Meltdown and Spectre last month. However, it's worth noting that Microsoft has issued several revisions to that advisory over the past month, and today they released additional patches for 32-bit versions of Windows 10. Fixes for older 32-bit versions of Windows are still under development.

None of today's vulnerabilities are known to be exploited in the wild. On the other hand, the Adobe Flash update that was released out of band last week was, so be sure that any Flash installations in your environment are fully up to date. In other Adobe news, today they put out an update for Acrobat Acrobat and Reader (APSB18-02) that fixes 41 separate vulnerabilities, many of which could lead to code execution.

Microsoft Vulnerability Summary

Vulnerability Count by Component

Vulnerability Count by Impact

Vulnerability Count by Severity

CVSSv3 Base Score Distribution
(Note: Not all CVEs had CVSSv3 data available at the time of writing.)