Update now! Microsoft’s April 2018 Patch Tuesday – 65 vulnerability, 24 Critical

Update now! Microsoft’s April 2018 Patch Tuesday – 65 vulnerability, 24 Critical

The big picture is 65 security fixes assigned CVE numbers, 23 of which (plus a separate Adobe Flash flaw) are rated critical, with no true zero-days among them.

An critical 66th CVE on the list should already have been fixed a week ago through an emergency patch that Microsoft issued for a remote code execution (RCE) vulnerability (CVE-2018-0986) in the Microsoft Malware Protection Engine (MMPE).

Affecting Security Essentials, Intune Endpoint Protection, Windows Defender, Exchange Server 2013/2016, and Forefront Endpoint Protection 2010, this patch should have been applied automatically via MMPE itself.

A breakdown of the remaining 22 critical flaws shows:

Seven memory corruption vulnerabilities in the Chakra Scripting Engine (Edge’s JavaScript interpreter).

Five RCE flaws in Microsoft Graphics’ Windows font library.

Four affecting Internet Explorer.

Four affecting the scripting engine also used by Internet Explorer.

One affecting Windows 10’s Edge browser.

One RCE in the Windows VBScript engine.