This month's security updates from Microsoft address 50 separate vulnerabilities, including two fixes for Adobe Flash Player (APSB18-24). There are no 0-days this month, although three vulnerabilities had been publicly disclosed prior to the release: two privilege escalation vulnerabilities in Windows and a spoofing vulnerability in Edge whereby a user could be tricked into believing a malicious website is legitimate.

Over half of the vulnerabilities fixed today allow Remote Code Execution (RCE), and for the most part affect Edge and/or Internet Explorer. There are also RCEs in Lync / Skype for Business (CVE-2018-8311), Access (CVE-2018-8312), SharePoint Server (CVE-2018-8300), and Office (CVE-2018-8281).

Four vulnerabilities in .NET Framework have been patched: a security feature bypass, RCE, remote code injection, and elevation of privilege).

On the server side, patches are relatively light this month. However, Sharepoint Server admins should be aware of two privilege escalation vulnerabilities being fixed in addition to the RCE. There is also a denial of service in FTP Server being fixed (CVE-2018-8206).

Software developers making use of Microsoft technologies should take note of fixes made for Visual Studio: CVE-2018-8172 allows RCE via a maliciously crafted project or resource file, and CVE-2018-8232 is a validation bug in Macro Assembler. There is also a fix for ASP.NET (CVE-2018-8171, a denial of service vulnerability). This is not to mention the typical spate of RCE vulnerabilities patched in ChakraCore, Microsoft's open source JavaScript engine.

Vulnerability Count by Component

Vulnerability Count by Impact

Vulnerability Count by Severity

CVSSv3 Base Score Distribution
Note: not all CVEs had CVSSv3 data available at the time of writing