Microsoft fixes bugs in its products to make users feel more comfortable using them

More than 20 of the 53 vulnerabilities were related to Microsoft Internet Explorer and Microsoft Edge, and many were major vulnerabilities that could lead to remote program attacks. In its monthly security update this week, Microsoft fixed 53 security vulnerabilities across 15 of its products, including 18 Critical vulnerabilities and more than 20 browser vulnerabilities. Microsoft did not patch any zero-time flaws this month.

More than 20 of the 53 vulnerabilities were related to browsers such as Internet Explorer or Microsoft Edge, and the vast majority were major vulnerabilities. Jimmy Graham, director of product management at Qualys, said workstation devices should be prioritized to patch browser vulnerabilities because users of such devices typically use browsers to access public web or email services.

Of the browser vulnerabilities, six were related to Microsoft Edge’s Chakra scripting engine, and five were classified as significant vulnerabilities that could lead to remote program attacks, They are CVE-2018-8280, CVE-2018-8286, CVE-2018-8290, CVE-2018-8294 and CVE-2018-8298.

Microsoft Edge’s CVE-2018-8278 is a spoofing vulnerability that comes from Edge’s failure to properly handle certain HTML content, allowing a hacker to design a site that looks like a legitimate fake, and is easy to exploit.

Another vulnerability named by the security industry is CVE-2018-8310, which is caused by Microsoft Outlook’s failure to properly handle certain attached files when rendering HTML emails. Successful mining of this vulnerability allows messages to be embedded with unreliable truetypes. Combined with other attacks can compromise user systems. Although the vulnerability is not considered serious, it has been used in malware attacks in the past to spread malware and even evade traditional security filtering mechanisms.

This month, Microsoft also patched a denial of service vulnerability in DNSAPI, the Windows domain name system. The vulnerability, cVE-2018-8304, was caused by dNSAPi.dll’s failure to properly handle DNS responses. It can cause the system to stop responding.

Compared to CVE-2018-8225, which Microsoft patched last month, CVE-2018-8304 is only listed as Important because it does not cause permission extensions or remote program attacks. Article from: Huizhong Industrial Science Station http://hertzhon.com.tw/