14 DAY TRIAL // Microsoft has rolled out security updates for a total of 61 vulnerabilities in its software, including for 17 flaws that are rated as critical.
In addition to the critical vulnerabilities, four security holes have been publicly disclosed, and patching them should be prioritized this month.
Products getting patches this month include Windows, Internet Explorer, Microsoft Edge, Office, ASP.NET. and .NET Framework.
First of all, there’s the ALPC Elevation of Privilege vulnerability (CVE-2018-8440) that was disclosed earlier this month and which has already been exploited in the wild. This flaw was published on Twitter and Microsoft waited until the September 2018 Patch Tuesday to deliver a fix.
Publicly-disclosed flaws
The three other publicly-disclosed vulnerabilities are (CVE-2018-8409, CVE-2018-8457, CVE-2018-8475).
CVE-2018-8409 is a Denial of Service vulnerability that has been discovered in System.IO.Pipelines and which can be exploited remotely without authentication, Microsoft explains. Exploitation is rated as less likely, however. .NET Core 2.1, ASP.NET Core 2.1 and System.IO.Pipelines are affected, and Microsoft has flagged the flaw with an important severity rating.
CVE-2018-8457 hits Microsoft Edge and Internet Explorer on all supported Windows versions, and this time the flaw is rated as either moderate or critical, depending on platform.
“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system,” Microsoft warns.
Carrying an attack is possible with the help of a crafted website, so staying away from untrusted URLs until patching is complete is a good way to mitigate possible exploits.
CVE-2018-8475 is a Windows Remote Code Execution vulnerability that can be exploited with a compromised image file. Microsoft says that exploitation is more likely, and confirms the flaw exists on all Windows versions. Not opening untrusted image files is a way to prevent attacks.
There are no reported issues with updates this month, and given the publicly-disclosed flaws, patching or alternative mitigation techniques should be applied as soon as possible.