Patch Tuesday

Microsoft has released the June 2018 Patch Tuesday security updates, and this month's release comes with fixes for 50 vulnerabilities.

Fixes are included for the Windows OS, Internet Explorer, Microsoft Edge, the ChakraCore JavaScript engine, and Microsoft Office and Microsoft Office Services and Web Apps.

No Windows zero-days this month

There are no Windows zero-days in this month's Patch Tuesday, but Microsoft patched CVE-2018-8267, a remote code execution vulnerability whose existence was publicly disclosed last week.

In addition to releasing the regular Patch Tuesday updates, Microsoft has also published KB4338110, a standalone security advisory that contains coding guidance for avoiding the creation of apps vulnerable to a padding oracle attack via the Cipher-Block-Chaining (CBC) mode when used with symmetric encryption algorithms.

Apps developed with this flaw allow an attacker to decrypt and tamper with encrypted data without knowing the encryption key, and the attack can be performed both locally and/or over a network.

Furthermore, after installing this month's Patch Tuesday, everybody's Meltdown and Spectre mitigations will be toggled to the below settings.

Operating System CVE-2017-5715 (Spectre variant 2) CVE-2017-5754 (Meltdown) CVE-2018-3639 (Spectre variant 4 aka SpectreNG)
Windows 10 Enabled by default Enabled by default Disabled by default - see ADV180012
Windows Server 2016 Disabled by default - see KB4072698 Disabled by default - see KB4072698 Disabled by default - see ADV180012
Windows 8.1 Enabled by default Enabled by default Not applicable
Windows Server 2012 R2 Disabled by default - see KB4072698 Disabled by default - see KB4072698 Disabled by default - see ADV180012
Windows RT 8.1 Enabled by default Enabled by default Not applicable
Windows 7 Enabled by default Enabled by default Disabled by default - see ADV180012
Windows Server 2008 R2 Disabled by default - see KB4072698 Disabled by default - see KB4072698 Disabled by default - see ADV180012
Windows Server 2008 Enabled by default Enabled by default Not applicable

Flash fixes also included

Last but not least, the Microsoft June 2018 Patch Tuesday also includes a patch for an Adobe Flash Player zero-day (CVE-2018-5002) that Adobe patched last week.

Below is a table listing of all the security issues Microsoft fixed this month. We used PowerShell and the Microsoft API to assemble the table below, but the report is much longer. We hosted the full report on GitHub, here.

If you're not interested in all security updates and you'd like to filter updates per product, you can use Microsoft's official Security Update Guide, available here.

Tag CVE ID CVE Title
Adobe Flash Player ADV180014 June 2018 Adobe Flash Security Update
Microsoft Office ADV180015 Microsoft Office Defense in Depth Update
Device Guard CVE-2018-8215 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
Device Guard CVE-2018-8212 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
Device Guard CVE-2018-8211 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
Device Guard CVE-2018-8221 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
Device Guard CVE-2018-8217 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
Device Guard CVE-2018-8216 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
Device Guard CVE-2018-8201 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
HID Parser Library CVE-2018-8169 HIDParser Elevation of Privilege Vulnerability
Internet Explorer CVE-2018-0978 Internet Explorer Memory Corruption Vulnerability
Internet Explorer CVE-2018-8113 Internet Explorer Security Feature Bypass Vulnerability
Internet Explorer CVE-2018-8249 Internet Explorer Memory Corruption Vulnerability
Microsoft Edge CVE-2018-8110 Microsoft Edge Memory Corruption Vulnerability
Microsoft Edge CVE-2018-8111 Microsoft Edge Memory Corruption Vulnerability
Microsoft Edge CVE-2018-8236 Microsoft Edge Memory Corruption Vulnerability
Microsoft Edge CVE-2018-8235 Microsoft Edge Security Feature Bypass Vulnerability
Microsoft Edge CVE-2018-0871 Microsoft Edge Information Disclosure Vulnerability
Microsoft Edge CVE-2018-8234 Microsoft Edge Information Disclosure Vulnerability
Microsoft NTFS CVE-2018-1036 NTFS Elevation of Privilege Vulnerability
Microsoft Office CVE-2018-8246 Microsoft Excel Information Disclosure Vulnerability
Microsoft Office CVE-2018-8247 Microsoft Office Elevation of Privilege Vulnerability
Microsoft Office CVE-2018-8244 Microsoft Outlook Elevation of Privilege Vulnerability
Microsoft Office CVE-2018-8245 Microsoft Office Elevation of Privilege Vulnerability
Microsoft Office CVE-2018-8254 Microsoft SharePoint Elevation of Privilege Vulnerability
Microsoft Office CVE-2018-8248 Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office CVE-2018-8252 Microsoft SharePoint Elevation of Privilege Vulnerability
Microsoft Scripting Engine CVE-2018-8229 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-8227 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-8267 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-8243 Scripting Engine Memory Corruption Vulnerability
Microsoft Windows CVE-2018-8175 WEBDAV Denial of Service Vulnerability
Microsoft Windows CVE-2018-1040 Windows Code Integrity Module Denial of Service Vulnerability
Microsoft Windows CVE-2018-8251 Media Foundation Memory Corruption Vulnerability
Microsoft Windows CVE-2018-0982 Windows Elevation of Privilege Vulnerability
Microsoft Windows CVE-2018-8208 Windows Desktop Bridge Elevation of Privilege Vulnerability
Microsoft Windows CVE-2018-8209 Windows Wireless Network Profile Information Disclosure Vulnerability
Microsoft Windows CVE-2018-8214 Windows Desktop Bridge Elevation of Privilege Vulnerability
Microsoft Windows CVE-2018-8210 Windows Remote Code Execution Vulnerability
Microsoft Windows CVE-2018-8213 Windows Remote Code Execution Vulnerability
Microsoft Windows CVE-2018-8205 Windows Denial of Service Vulnerability
Microsoft Windows CVE-2018-8231 HTTP Protocol Stack Remote Code Execution Vulnerability
Microsoft Windows CVE-2018-8239 Windows GDI Information Disclosure Vulnerability
Microsoft Windows CVE-2018-8226 HTTP.sys Denial of Service Vulnerability
Microsoft Windows CVE-2018-8225 Windows DNSAPI Remote Code Execution Vulnerability
Windows Hyper-V CVE-2018-8218 Windows Hyper-V Denial of Service Vulnerability
Windows Hyper-V CVE-2018-8219 Hypervisor Code Integrity Elevation of Privilege Vulnerability
Windows Kernel CVE-2018-8207 Windows Kernel Information Disclosure Vulnerability
Windows Kernel CVE-2018-8233 Win32k Elevation of Privilege Vulnerability
Windows Kernel CVE-2018-8224 Windows Kernel Elevation of Privilege Vulnerability
Windows Kernel CVE-2018-8121 Windows Kernel Information Disclosure Vulnerability
Windows Shell CVE-2018-8140 Cortana Elevation of Privilege Vulnerability

Related Articles:

Microsoft December 2018 Patch Tuesday Fixes Actively Used Zero-Day Vulnerability

Microsoft October 2018 Patch Tuesday Fixes 12 Critical Vulnerabilities

Windows Defender Can Detect Accessibility Tool Backdoors

Microsoft November 2018 Patch Tuesday Fixes 12 Critical Vulnerabilities

Known Problems, Bugs, & Fixes for October 2018 Windows 10 Updates