Microsoft Fixes 17 Critical Bugs in July Patch Tuesday Release

microsoft sha-1 deprecation

Microsoft patches 17 critical bugs and 34 important bugs as part of its monthly security bulletin.


Browser vulnerabilities took center stage in Microsoft’s July Patch Tuesday security bulletin. In all, Microsoft patched 17 bugs rated critical, with ten tied to scripting engine flaws impacting Internet Explorer. In total, Microsoft is reporting 53 bugs: 17 critical, 34 rated important, one moderate and one low.

The most severe of the browser bugs reported are four Chakra scripting engine memory corruption vulnerabilities (CVE-2018-8280, CVE-2018-8286, CVE-2018-8290, CVE-2018-8294). Each are remote code execution vulnerabilities tied to the JScript engine (Chakra), developed by Microsoft for its 32-bit version of the Internet Explorer. The bugs impact Microsoft’s Edge browser, in this instance.

“The 16 CVEs covering browsers should be prioritized for workstation type devices, meaning any system where users are commonly accessing the public internet through a browser or checking email. This includes multi-user servers that are used as remote desktops for users,” wrote Jimmy Graham, director of product management at Qualys.

Five bugs are tied to Microsoft Edge. One is a spoofing vulnerability (CVE-2018-8278) that exists when Microsoft Edge improperly handles specific HTML content, which could trick users into believing that they were visiting a legitimate website. “The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services,” wrote Microsoft.

Another bug (CVE-2018-8304) is a Windows DNSAPI denial of service vulnerability. DNSAPI is a dynamic-link library file in Windows. In this context it contains functions used by a system’s domain name system (DNS) in a client’s application program interface.

“While not a severe as last month’s wormable CVE-2018-8225, this bug could allow remote attackers to shut down a DNS server through merely a malformed DNS response. Again, that’s better than code execution, but it’s never good when an adversary can remotely shut down a part of your critical infrastructure,” commented ZDI researchers in their Patch Tuesday analysis.

Microsoft’s Office was also patched to prevent emails from containing untrusted TrueType fonts that could be used to compromise a targeted system.

The Office tampering vulnerability (CVE-2018-8310) “exists when Microsoft Outlook does not properly handle specific attachment types when rendering HTML emails. An attacker could exploit the vulnerability by sending a specially crafted email and attachment to a victim, or by hosting a malicious .eml file on a web server,” Microsoft wrote. EML files are a file format developed by Microsoft to archive emails while at the same time preserving the original HTML formatting and header.

Other Office bugs include those impacting SharePoint and Skype for Business.

Microsoft also patched a MSR JavaScript cryptography library security feature bypass vulnerability. In short, the bug allows an attacker to generate signatures that mimic the entity associated with a public/private key pair. “While this doesn’t appear to circumvent authentic public/private key pairs, it likely can be used by malware authors to make their attacks appear genuine,” wrote ZDI.

On Tuesday, Adobe also tackled over 100 bugs as part of its monthly bug zapping.

(Story was updated on 7/12/18 at 1:06 pm ET to more precisely indicate that bugs CVE-2018-8280, CVE-2018-8286, CVE-2018-8290, CVE-2018-8294 were tied to the Microsoft Edge browser and not Internet Explorer)

Suggested articles