Microsoft issued July 2018 Security Updates that include 54 unique vulnerability fixes, 17 of them rated critical.
The updates address multiple Microsoft products to include, but not limited to: Windows, Internet Explorer, Edge, Office, Office Services and Web Apps, ChakraCore, Skype for Business, Lync, Visual Studio, PowerShell, .NET Framework and Adobe Flash Player.
Microsoft also released guidance and patch for a new Lazy FP State Restore vulnerability, a new side-channel attack on speculative execution. The bug was previously announced by Microsoft on June 13th and patch released as part of patch Tuesday release.
“An attacker, via a local process, could cause information stored in FP (Floating Point), MMX, and SSE register state to be disclosed across security boundaries on Intel Core family CPUs through speculative execution. An attacker must be able to execute code locally on a system in order to exploit this vulnerability, similar to the other speculative execution vulnerabilities. The information that could be disclosed in the register state depends on the code executing on a system and whether any code stores sensitive information in FP register state,” as Microsoft described Lazy FP State Restore vulnerability in the advisory.
16 of the vulnerabilities address browser related flaws and should be prioritized for internet-facing workstations.
One of the critical vulnerabilities fixed in this month’s patch updates is for PowerShell Editor Services. If left unpatched, an attacker could execute malicious code in a PowerShell Editor Services process.
See the Security Update Guide and July summary release notes for more details on all patches.