May 2018 Patch Priorities

Get patching!  Microsoft’s May vulnerability count hits 68 CVEs, 21 of which are rated critical, 45 important, and two are low impact. There are at least 2 zero-days being exploited in the wild!

1) A remote code execution vulnerability in the Windows VBScript Engine affecting all versions of Windows, first spotted being exploited by nation-state three weeks ago. Dubbed ‘Double Kill’ CVE-2018-8174 can be deployed in a number of ways, including luring an IE user to a malicious website with embedded VBScript, using an ActiveX control marked ‘safe for initialization’, or via a malicious RTF file in an Office document. It gives attackers control over the victim’s computer for data theft, eavesdropping or deploying ransomware.

2) CVE-2018-8120, an elevation-of-privilege vulnerability in the Win32k subsystem of Windows 7 32/64-bit and Windows Server 2008 R2. An attacker would need to be logged into the target already in order to exploit the flaw, which is why it’s listed as ‘important’ rather than critical. Microsoft hasn’t said how it’s being exploited, but this kind of vulnerability is golden for criminals.