Microsoft issued March 2018 Security Updates that includes 75 vulnerability fixes, 15 of them rated critical. The updates address multiple Microsoft products to include Windows, Internet Explorer, Edge, Exchange, Office, Office Services and Web Apps, ChakraCore, PowerShell and Adobe Flash.
According to Qualys, one of the more notable ‘important’ vulnerabilities fixed is a CredSSP remote code execution vulnerability (CVE-2018-0886) that could allow an attacker to relay user credentials and use them to execute code on the target system. CredSSP is short for the Credential Security Support Provider protocol and is an authentication provider which processes authentication requests for other applications.
“As an example of how an attacker would exploit this vulnerability against Remote Desktop Protocol, the attacker would need to run a specially crafted application and perform a man-in-the-middle attack against a Remote Desktop Protocol session. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft stated in an advisory.
A few of the critical patches also worth mentioning include Chakra scripting engine memory corruption vulnerabilities in Edge (CVE-2018-0872, CVE-2018-0874). Microsoft listed each of these as “exploitation more likely.” Other critical scripting engine memory corruption and information disclosure bugs were also fixed in Internet Explorer 11 and Edge as well.
Trend Micro also noted that Microsoft lifted their antivirus (AV) registry key requirement in order for devices to receive the latest patches. The reg key was previously required to help mitigate potential compatibility issues caused by Meltdown and Spectre patches last January.
See the Security Update Guide for more details on all patches.