Patch Tuesday

Microsoft published earlier today the Patch Tuesday security bulletin for May 2018, containing fixes for 67 security issues.

This month, Microsoft fixed security flaws in Microsoft Windows, Internet Explorer, Microsoft Edge, ChakraCore, .NET Framework, Microsoft Exchange Server, Windows Host Compute Service Shim, and Microsoft Office and Microsoft Office Services and Web Apps.

Microsoft patches two zero-days

The biggest issue patched this month is a zero-day in Internet Explorer that has been abused by a cyber-espionage campaign earlier this month. The zero-day (CVE-2018-8174) affects not only IE but also any other projects that embed the IE web rendering engine. Microsoft credited researchers from both Qihoo 360 Core Security and Kaspersky Lab for discovering this issue.

The second zero-day is CVE-2018-8120, an elevation-of-privilege vulnerability in the Win32k component.

"An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft says. But the flaw is not as dangerous as it sounds, as an attacker already needs a foothold on Windows systems to run his malicious code in the first place, to elevate his access rights.

Microsoft also patched CVE-2018-8141 (Windows Kernel Information Disclosure Vulnerability) and CVE-2018-8170 (Windows Image Elevation of Privilege Vulnerability), for which exploitation details became public. Despite info about these two flaws being published online, Microsoft says none were exploited in the wild.

Flash fixes also included

Last but not least, the Microsoft May 2018 Patch Tuesday also included a patch for an Adobe Flash Player vulnerability (CVE-2018-4944) that Adobe patched earlier today.

Below is a table listing of all the security issues Microsoft fixed this month. We used PowerShell and the Microsoft API to assemble the table below, but the report is much longer. We hosted the full report on GitHub, here.

If you're not interested in all security updates and you'd like to filter updates per product, you can use Microsoft's official Security Update Guide, available here.

Tag CVE ID CVE Title
Adobe Flash Player ADV180008 May 2018 Adobe Flash Security Update
.NET Framework CVE-2018-1039 .NET Framework Device Guard Security Feature Bypass Vulnerability
.NET Framework CVE-2018-0765 .NET and .NET Core Denial of Service Vulnerability
Azure CVE-2018-8119 Azure IoT SDK Spoofing Vulnerability
Common Log File System Driver CVE-2018-8167 Windows Common Log File System Driver Elevation of Privilege Vulnerability
Device Guard CVE-2018-8129 Windows Security Feature Bypass Vulnerability
Device Guard CVE-2018-8132 Windows Security Feature Bypass Vulnerability
Device Guard CVE-2018-0854 Windows Security Feature Bypass Vulnerability
GitHub CVE-2018-8115 Windows Host Compute Service Shim Remote Code Execution Vulnerability
Internet Explorer CVE-2018-8126 Internet Explorer Security Feature Bypass Vulnerability
Microsoft Browsers CVE-2018-8178 Microsoft Browser Memory Corruption Vulnerability
Microsoft Browsers CVE-2018-1025 Microsoft Browser Information Disclosure Vulnerability
Microsoft Edge CVE-2018-1021 Microsoft Edge Information Disclosure Vulnerability
Microsoft Edge CVE-2018-8123 Microsoft Edge Memory Corruption Vulnerability
Microsoft Edge CVE-2018-8179 Microsoft Edge Memory Corruption Vulnerability
Microsoft Edge CVE-2018-8112 Microsoft Edge Security Feature Bypass Vulnerability
Microsoft Exchange Server CVE-2018-8151 Microsoft Exchange Memory Corruption Vulnerability
Microsoft Exchange Server CVE-2018-8152 Microsoft Exchange Server Elevation of Privilege Vulnerability
Microsoft Exchange Server CVE-2018-8154 Microsoft Exchange Memory Corruption Vulnerability
Microsoft Exchange Server CVE-2018-8159 Microsoft Exchange Elevation of Privilege Vulnerability
Microsoft Exchange Server CVE-2018-8153 Microsoft Exchange Spoofing Vulnerability
Microsoft Graphics Component CVE-2018-8165 DirectX Graphics Kernel Elevation of Privilege Vulnerability
Microsoft Graphics Component CVE-2018-8120 Win32k Elevation of Privilege Vulnerability
Microsoft Graphics Component CVE-2018-8164 Win32k Elevation of Privilege Vulnerability
Microsoft Graphics Component CVE-2018-8124 Win32k Elevation of Privilege Vulnerability
Microsoft Office CVE-2018-8148 Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office CVE-2018-8157 Microsoft Office Remote Code Execution Vulnerability
Microsoft Office CVE-2018-8158 Microsoft Office Remote Code Execution Vulnerability
Microsoft Office CVE-2018-8173 Microsoft InfoPath Remote Code Execution Vulnerability
Microsoft Office CVE-2018-8168 Microsoft SharePoint Elevation of Privilege Vulnerability
Microsoft Office CVE-2018-8150 Microsoft Outlook Security Feature Bypass Vulnerability
Microsoft Office CVE-2018-8155 Microsoft SharePoint Elevation of Privilege Vulnerability
Microsoft Office CVE-2018-8147 Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office CVE-2018-8149 Microsoft SharePoint Elevation of Privilege Vulnerability
Microsoft Office CVE-2018-8156 Microsoft SharePoint Elevation of Privilege Vulnerability
Microsoft Office CVE-2018-8162 Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office CVE-2018-8163 Microsoft Excel Information Disclosure Vulnerability
Microsoft Office CVE-2018-8160 Microsoft Outlook Information Disclosure Vulnerability
Microsoft Office CVE-2018-8161 Microsoft Office Remote Code Execution Vulnerability
Microsoft Scripting Engine CVE-2018-0955 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-1022 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-8114 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-8122 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-0954 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-8130 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-8128 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-8177 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-8133 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-8137 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-8139 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-8145 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-0946 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-0945 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-0951 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-0953 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-0943 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Windows CVE-2018-0958 Windows Security Feature Bypass Vulnerability
Microsoft Windows CVE-2018-8170 Windows Image Elevation of Privilege Vulnerability
Microsoft Windows CVE-2018-8136 Windows Remote Code Execution Vulnerability
Microsoft Windows CVE-2018-8174 Windows VBScript Engine Remote Code Execution Vulnerability
Windows COM CVE-2018-0824 Microsoft COM for Windows Remote Code Execution Vulnerability
Windows Hyper-V CVE-2018-0961 Hyper-V vSMB Remote Code Execution Vulnerability
Windows Hyper-V CVE-2018-0959 Hyper-V Remote Code Execution Vulnerability
Windows Kernel CVE-2018-8166 Win32k Elevation of Privilege Vulnerability
Windows Kernel CVE-2018-8127 Windows Kernel Information Disclosure Vulnerability
Windows Kernel CVE-2018-8897 Windows Kernel Elevation of Privilege Vulnerability
Windows Kernel CVE-2018-8134 Windows Elevation of Privilege Vulnerability
Windows Kernel CVE-2018-8141 Windows Kernel Information Disclosure Vulnerability

Article updated to include details about second zero-day.

Related Articles:

Microsoft February 2024 Patch Tuesday fixes 2 zero-days, 73 flaws

Microsoft March 2024 Patch Tuesday fixes 60 flaws, 18 RCE bugs

Windows 11 KB5035853 update released, here's what's new

Windows 10 KB5034763 update released with new fixes, changes

Google fixes one more Chrome zero-day exploited at Pwn2Own