Tripwire の脆弱性調査チーム:VERT が月に一度の パッチプライオリティ指標(Patch Priority Index:PPI) を公開します。非常に重要な意味を持つ PPI は、日々これらのパッチにより解決される脆弱性に取り組んでいる VERT の研究員がリリースしています。
パッチプライオリティ指標の決め方は詳しい:https://blog.tripwire.co.jp/blog/understanding-prioritization にてご参考ください。
また、新しい脆弱性ソリューションが弊社のディストリビューターからリリースされましたので、是非ご覧になってください。
下記は2018年8月のパッチプライオリティ指標になります。
First on the patch priority list this month are patches for Microsoft’s Internet Explorer, Edge, and Scripting Engine. These patches resolve 21 vulnerabilities, including fixes for Remote Code Execution, Elevation of Privilege, Information Disclosure, Memory Corruption, Security Feature Bypass, and Spoofing vulnerabilities. This set of vulnerabilities includes CVE-2018-8373 for Internet Explorer, and according to Microsoft, it has been publicly disclosed and exploitation has been detected for older software releases.
Next on the patch priority list this month are patches released by Adobe and described in the APSB18-25 security bulletin. This patch set includes fixes for vulnerabilities in Adobe Flash Player for Windows, Macintosh, Linux, and Chrome OS. The patches address out-of-bounds read, security bypass, and vulnerable component vulnerabilities.
After Adobe, users should focus on Microsoft Excel, PowerPoint, and Office. These patches resolve 5 vulnerabilities including Information Disclosure and Remote Code Execution.
Next on the list are patches for Microsoft Windows. These patches address 27 vulnerabilities across AD FS, Device Guard, Diagnostic Hub, DirectX Graphics Kernel, GDI+, LNK, Microsoft COM, Cortana, Win32k.sys, Windows Installer, Windows Kernel, NDIS, Windows PDF, and Windows Shell. This set of vulnerabilities includes CVE-2018-8414 for Windows Shell, and according to Microsoft, it has been publicly disclosed and exploited.
Lastly for this month, users should focus on the patches for .NET, Exchange Server, and SQL server. These patches resolve information disclosure, memory corruption, tampering, and remote code execution vulnerabilities.
To learn more about Tripwire’s Vulnerability and Exposure Research Team (VERT), click here.
| BULLETIN | CVE |
| Microsoft Browser | CVE-2018-8316, CVE-2018-8357, CVE-2018-8351, CVE-2018-8403, CVE-2018-8370, CVE-2018-8387, CVE-2018-8377, CVE-2018-8358, CVE-2018-8383, CVE-2018-8388 |
| Microsoft Scripting Engine | CVE-2018-8266, CVE-2018-8381, CVE-2018-8380, CVE-2018-8390, CVE-2018-8355, CVE-2018-8353, CVE-2018-8372, CVE-2018-8389, CVE-2018-8373, CVE-2018-8371, CVE-2018-8385 |
| Adobe Flash Player – APSB18-25 | CVE-2018-12824, CVE-2018-12825, CVE-2018-12826, CVE-2018-12827, CVE-2018-12828 |
| Microsoft Excel | CVE-2018-8382, CVE-2018-8379, CVE-2018-8375 |
| Microsoft PowerPoint | CVE-2018-8376 |
| Microsoft Office | CVE-2018-8378 |
| Windows | CVE-2018-8340, CVE-2018-8204, CVE-2018-8200, CVE-2018-0952, CVE-2018-8406, CVE-2018-8400, CVE-2018-8401, CVE-2018-8405, CVE-2018-8397, CVE-2018-8345, CVE-2018-8346, CVE-2018-8349, CVE-2018-8253, CVE-2018-8344, CVE-2018-8399, CVE-2018-8404, CVE-2018-8394, CVE-2018-8396, CVE-2018-8398, CVE-2018-8339, CVE-2018-8347, CVE-2018-8348, CVE-2018-8341, CVE-2018-8343, CVE-2018-8342, CVE-2018-8350, CVE-2018-8414 |
| .NET | CVE-2018-8360 |
| Exchange Server | CVE-2018-8302, CVE-2018-8374 |
| SQL Server | CVE-2018-8273 |
