17 of these vulnerabilities are related to browsers and scripting engines – making these updates particularly important for those using Edge or Internet Explorer.
All of the critical bugs are related to remote code execution (RCE) flaws. These include:
- A vulnerability in Microsoft Word that allowed attackers to craft a file that, if opened by the user, let the attacker run malicious code on the victim’s device.
- A vulnerability in Application Inspector where “a tool reflects example code snippets from third-party source files into its HTML output,” said Microsoft. “An attacker who exploited it could send sections of the report containing code snippets to an external server.”
- A vulnerability in Dynamics Business Central where attackers who compromise a host can execute shell commands on the target’s server.
However, Microsoft did not patch a flaw in Microsoft SMB servers which is exploited with a specially-crafted data packet sent to an SMBv3 server.
It said that in the interim, those affected can disable compression as a workaround with the following PowerShell command:
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force
All of the new patches are available via Windows Update in Windows 10, and there are no reports of issues with the implementation of these patches.
Microsoft update issues
A lack of complaints regarding failed installations is good news – particularly following Microsoft’s botched February update.
The update resulted in many users being unable to reset their PCs, while some suffered installation failure errors.
“Using the ‘Reset this PC’ feature, also called ‘Push Button Reset’ or PBR, might fail. You might restart into recovery with ‘Choose an option’ at the top of the screen with various options or you might restart to desktop and receive the error ‘There was a problem resetting your PC,’” said Microsoft.
For these reasons, it removed the patch and recommended that users who were suffering issues with the patch uninstall it.
“This standalone security update has been removed and will not be re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog,” said Microsoft.