Microsoft rolls out June patches and a host of bug fixes for its latest version of Windows 10.
The KB4284835 update moves Windows 10 version 1803 to OS Build 17134.112 and addresses an issue that caused systems to start up in a black screen.
“This issue occurs because previous updates to the Spring Creators Update were incompatible with specific versions of PC tune-up utilities after installation.”
This issue is separate to the black screen problems Avast users were struggling with last month after installing Windows 10 version 1803.
Among the other bug fixes, Microsoft has fixed an issue where firmware updates cause devices to go into BitLocker recovery mode when it’s enabled, but Secure Boot is disabled or not present. This build now prevents firmware installation when a device is in this state.
Admins can install firmware by temporarily suspending BitLocker, installing firmware updates before the next OS startup, or by immediately restarting the device so that BitLocker doesn’t remain in a suspended state.
Microsoft’s June security patches, which are included in the new Windows 10 build, address flaws in Internet Explorer, Microsoft Edge, Windows, Office, the ChakraCore scripting engine, and the Adobe Flash Player flaw that was already being exploited in the wild.
There are 11 critical flaws and 39 flaws rated as important that are fixed, but only one of the bugs was publicly disclosed this month and none is known to be exploited.
Microsoft’s advisory for CVE-2018-8267 notes that the flaw can be exploited through Internet Explorer or an Office document that hosts the IE rendering engine. A victim would need to visit a malicious or compromised website. Microsoft believes this bug is likely to be exploited.
Cisco’s Talos Intelligence researchers highlighted three bugs that Windows users should patch promptly this month, including the publicly disclosed flaw and a remote code execution vulnerability within Windows Domain Name System (DNS), CVE-2018-8225.
“This vulnerability manifests due to DNSAPI.dll improperly handling DNS responses. This vulnerability could allow a remote attacker to execute arbitrary code within the context of the LocalSystem account on affected systems,” wrote Talos researchers.
“An attacker could leverage a malicious DNS server and send specially crafted DNS responses to trigger this vulnerability.” However, Microsoft notes exploitation of this bug is less likely.
The third key fix is for a remote code execution vulnerability affecting Chakra (CVE-2018-8229), which was found by Google Project Zero, and can be exploited through Edge. Microsoft believes this flaw is likely to be exploited.
Microsoft has also published new guidance on Windows mitigations for the Meltdown and Spectre flaws, and the related Spectre Variant 4 Speculative Store Bypass attack, CVE-2018-3639. To be fully protected, users and admins may have to take further action, Microsoft notes.
Already released mitigations for Windows 10 through to Windows 7 for Spectre variant 1, CVE-2017-5715, and Meltdown variant 3, CVE-2017-5754, are enabled by default.
On supported Windows Server systems, the mitigations are disabled by default and admins will need to take further steps to enable them.
Mitigations for variant 4 are only available for Windows 10, Windows Server 2016, Windows 7, and Windows Server 2008 R2. However, they’re disabled by default.
The June update also addresses a Cortana elevation of privilege vulnerability that could allow an attacker to execute commands with elevated permissions.
Cortana retrieves data “from user input services without consideration for status”, according to Microsoft.
An attacker who successfully exploited the vulnerability could execute commands with elevated permissions. However, the attacker would need physical access on a system with Cortana enabled.