Patch Tuesday, September 2018

September's Patch Tuesday is here with patches for 61 CVEs and two roll up patches, one for multiple Denial of Service vulnerabilities in Windows and one for the ever present Remote Code Execution (RCE) vulnerabilities in Adobe Flash. Across the patched CVEs, 17 are rated as "Critical", 43 are rated as "Important" and one is rated "Modera

The scripting engine used during web browsing is back with the majority of the "Critical" vulnerabilities. In addition there are patches for RCE vulnerabilities for .NET and Hyper-V server platforms. Since these services are often public facing, the risk of those vulnerabilities is higher than most. The last "Critical" vulnerability (CVE-2018-8475) affects all Windows platforms and is exploited via a malicious image file. All that would be necessary to exploit the vulnerability would be to convince a user to open the specially crafted image, whether it's embedded in a message, a document or a webpage.

On the list of "Important" vulnerabilities are dozens of Denial of Service and Information Disclosure vulnerabilities. The most important patch among the bunch, and probably the most important patch in this release, is a patch for a Privilege Escalation vulnerability in Windows Advanced Local Procedure Call (ALPC) as used by the Windows Task Scheduler. This vulnerability, issued CVE-2018-8440, allows an attacker to escalate any user account from limited privilege to full "Local System" rights, the highest privilege on any Windows system.

The reason why this vulnerability is so important is that security researcher "SandboxEscaper" got frustrated working with Microsoft on the disclosure process (and perhaps just frustrated with life in general) and they released the details of the vulnerability along with Proof of Concept code in an expletive filled tweet on August 27th. Thus a "Zero Day" was born.

Local Privilege Escalation vulnerabilities are often dismissed as less important since they require local access to a system, typically via a user targeted with a social engineering attack. Because of this additional step, even Microsoft rates such vulnerabilities as "Important" instead of "Critical". However, these types of vulnerabilities are often used by criminals to get their malware installed with "root" or "system" level access.

In fact this vulnerability proves that point well, since it took criminals only two days to weaponize this zero day as a part of a larger spam campaign. The PowerPool group started pushing out spam with a "fake invoice" that exploits the ALPC bug to install a backdoor with full system privileges.

With a fix for a zero day that is currently being exploited in the wild in addition to RCE vulnerabilities in .NET and Hyper-V, you'll definitely want to apply these patches as soon as you can.

Critical

September 2018 Adobe Flash Security Update
ADV180023
Remote Code Execution

.NET Framework Remote Code Execution Vulnerability
CVE-2018-8421
Remote Code Execution

Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2018-8367, CVE-2018-8465, CVE-2018-8466, CVE-2018-8467
Remote Code Execution

Internet Explorer Memory Corruption Vulnerability
CVE-2018-8447, CVE-2018-8461
Remote Code Execution

Microsoft Edge PDF Remote Code Execution Vulnerability
CVE-2018-8464
Remote Code Execution

MS XML Remote Code Execution Vulnerability
CVE-2018-8420
Remote Code Execution

Scripting Engine Memory Corruption Vulnerability
CVE-2018-8391, CVE-2018-8456, CVE-2018-8457, CVE-2018-8459
Remote Code Execution

Win32k Graphics Remote Code Execution Vulnerability
CVE-2018-8332
Remote Code Execution

Windows Hyper-V Remote Code Execution Vulnerability
CVE-2018-0965, CVE-2018-8439
Remote Code Execution

Windows Remote Code Execution Vulnerability
CVE-2018-8475
Remote Code Execution

Important

Windows Denial of Service Vulnerability
ADV180022
Denial of Service

ASP.NET Core Denial of Service
CVE-2018-8409
Denial of Service

Device Guard Security Feature Bypass Vulnerability
CVE-2018-8449
Security Feature Bypass

DirectX Graphics Kernel Elevation of Privilege Vulnerability
CVE-2018-8462
Elevation of Privilege

Internet Explorer Security Feature Bypass Vulnerability
CVE-2018-8470
Security Feature Bypass

Microsoft Edge Elevation of Privilege Vulnerability
CVE-2018-8463, CVE-2018-8469
Elevation of Privilege

Microsoft Edge Information Disclosure Vulnerability
CVE-2018-8366
Information Disclosure

Microsoft Edge Spoofing Vulnerability
CVE-2018-8425
Spoofing

Microsoft Excel Information Disclosure Vulnerability
CVE-2018-8429
Information Disclosure

Microsoft Excel Remote Code Execution Vulnerability
CVE-2018-8331
Remote Code Execution

Microsoft Graphics Component Information Disclosure Vulnerability
CVE-2018-8433
Information Disclosure

Microsoft JET Database Engine Remote Code Execution Vulnerability
CVE-2018-8392, CVE-2018-8393, CVE-2018-8423
Remote Code Execution

Microsoft Office SharePoint XSS Vulnerability
CVE-2018-8426
Information Disclosure

Microsoft Scripting Engine Information Disclosure Vulnerability
CVE-2018-8315
Information Disclosure

Microsoft SharePoint Elevation of Privilege Vulnerability
CVE-2018-8428, CVE-2018-8431
Elevation of Privilege

OData Denial of Service Vulnerability
CVE-2018-8269
Denial of Service

Scripting Engine Information Disclosure Vulnerability
CVE-2018-8452
Information Disclosure

Scripting Engine Memory Corruption Vulnerability
CVE-2018-8354
Remote Code Execution

Windows ALPC Elevation of Privilege Vulnerability
CVE-2018-8440
Elevation of Privilege

Windows Elevation of Privilege Vulnerability
CVE-2018-8468
Elevation of Privilege

Windows GDI Information Disclosure Vulnerability
CVE-2018-8424
Information Disclosure

Windows Hyper-V Denial of Service Vulnerability
CVE-2018-8436, CVE-2018-8437, CVE-2018-8438
Denial of Service

Windows Hyper-V Information Disclosure Vulnerability
CVE-2018-8434
Information Disclosure

Windows Hyper-V Security Feature Bypass Vulnerability
CVE-2018-8435
Security Feature Bypass

Windows Information Disclosure Vulnerability
CVE-2018-8271
Information Disclosure

Windows Kernel Elevation of Privilege Vulnerability
CVE-2018-8455
Elevation of Privilege

Windows Kernel Information Disclosure Vulnerability
CVE-2018-8336, CVE-2018-8419, CVE-2018-8442, CVE-2018-8443, CVE-2018-8445, CVE-2018-8446
Information Disclosure

Windows Registry Elevation of Privilege Vulnerability
CVE-2018-8410
Elevation of Privilege

Windows SMB Denial of Service Vulnerability
CVE-2018-8335
Denial of Service

Windows SMB Information Disclosure Vulnerability
CVE-2018-8444
Information Disclosure

Windows Subsystem for Linux Elevation of Privilege Vulnerability
CVE-2018-8441
Elevation of Privilege

Windows Subsystem for Linux Security Feature Bypass Vulnerability
CVE-2018-8337
Security Feature Bypass

Word PDF Remote Code Execution Vulnerability
CVE-2018-8430
Remote Code Execution

Moderate

Lync for Mac 2011 Security Feature Bypass Vulnerability
CVE-2018-8474
Elevation of Privilege

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.