Microsoft’s July Patch Tuesday fixes 19 critical flaws, including one that affects its augmented reality HoloLens headset.
Microsoft has released updates to fix 26 Windows bugs and 28 issues affecting other products. The company’s July Patch Tuesday has a total of 54 flaws with a unique Common Vulnerabilities and Exposures (CVE) identifier, though CVE numbers aren't obvious in the new Security Update Guide, which was introduced in April.
The July release notes highlight updates for Internet Explorer, Edge, Windows, Office and Office Services and Web Apps, .NET Framework, Adobe Flash Player, and Exchange Server.
The Windows 10 update is cumulative, including all security fixes and non-security updates for bugs affecting Windows 10.
Microsoft notes that the first version of Windows 10 — version 1507 — hasn't received security updates since May 9 and recommends updating to the latest version of Windows 10.
Security firm Qualys says patching CVE-2017-8589, which affects the Windows Search service, should be the top priority.
“A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft said
Attackers can use the SMB file-sharing protocol to control Windows 10 and earlier and Windows Server 2016, 2012, 2008 R2, and 2008. Qualys notes this vulnerability is not related to the SMB flaws used in WannaCry and NotPetya ransomware attacks.
Microsoft has also patched its augmented reality platform HoloLens to block a remote code execution flaw.
“A remote code execution vulnerability exists when HoloLens improperly handles objects in memory. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft notes.
A hacker would need to send a “specially crafted WiFi packet” to exploit the bug, said Microsoft.
Trend Micro’s ZDI labelled the bug “fascinating” because Microsoft was now patching an augmented reality headset, which in all likelihood won’t be attacked because no one is using them yet. Nonetheless, the bug is rated as critical and details of it were made public before the patch.
Adobe released an update for three separate bugs in Flash Player of which one was critical. Updates are available for Windows, macOS, Linux and ChromeOS.