Posted on Wednesday, Mar 14 2018 @ 19:43 CET by Thomas De Maesschalck
With yesterday's Patch Tuesday rollout, Microsoft smashed a total of 75 security vulnerabilities. Nasty ones included nine remote code execution bugs in Edge and Internet Explorer. Full details at The Register
The fixed bugs include nine remote code execution (RCE) flaws in the Chakra scripting engine in Edge. Microsoft says the scripting bugs (such as CVE-2018-0874) would allow an infected webpage to run code with the logged-in user's clearance level.
The Edge scripting engine was also the subject of four memory corruption RCE flaws, as well as an information disclosure bug, CVE-2018-0839, that allows an attack page to view objects in memory.
ARS Technica adds that Microsoft
dropped its mandatory antivirus requirement. This was a temporary measure introduced in the wake of the Meltdown and Spectre fixes. Microsoft now reverses this policy because incompatile AV software turned out to be extremely rare:
Microsoft found that certain antivirus products manipulated Windows' kernel memory in unsupported ways that would crash systems with the Meltdown fix applied. The registry entry was a way for antivirus software to positively affirm that it was compatible with the Meltdown fix; if that entry was absent, Windows assumed that incompatible antivirus software was installed and hence did not apply the security fix.
This put systems without any antivirus software at all in a strange position: they too lack the registry entries, so they'd be passed over for fixes, even though they don't, in fact, have any incompatible antivirus software.