Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Patch Tuesday, September 2018

September's Patch Tuesday is here with patches for 61 CVEs and two roll up patches, one for multiple Denial of Service vulnerabilities in Windows and one for the ever present Remote Code Execution (RCE) vulnerabilities in Adobe Flash. Across the patched CVEs, 17 are rated as "Critical", 43 are rated as "Important" and one is rated "Modera

The scripting engine used during web browsing is back with the majority of the "Critical" vulnerabilities. In addition there are patches for RCE vulnerabilities for .NET and Hyper-V server platforms. Since these services are often public facing, the risk of those vulnerabilities is higher than most. The last "Critical" vulnerability (CVE-2018-8475) affects all Windows platforms and is exploited via a malicious image file. All that would be necessary to exploit the vulnerability would be to convince a user to open the specially crafted image, whether it's embedded in a message, a document or a webpage.

On the list of "Important" vulnerabilities are dozens of Denial of Service and Information Disclosure vulnerabilities. The most important patch among the bunch, and probably the most important patch in this release, is a patch for a Privilege Escalation vulnerability in Windows Advanced Local Procedure Call (ALPC) as used by the Windows Task Scheduler. This vulnerability, issued CVE-2018-8440, allows an attacker to escalate any user account from limited privilege to full "Local System" rights, the highest privilege on any Windows system.

The reason why this vulnerability is so important is that security researcher "SandboxEscaper" got frustrated working with Microsoft on the disclosure process (and perhaps just frustrated with life in general) and they released the details of the vulnerability along with Proof of Concept code in an expletive filled tweet on August 27th. Thus a "Zero Day" was born.

Local Privilege Escalation vulnerabilities are often dismissed as less important since they require local access to a system, typically via a user targeted with a social engineering attack. Because of this additional step, even Microsoft rates such vulnerabilities as "Important" instead of "Critical". However, these types of vulnerabilities are often used by criminals to get their malware installed with "root" or "system" level access.

In fact this vulnerability proves that point well, since it took criminals only two days to weaponize this zero day as a part of a larger spam campaign. The PowerPool group started pushing out spam with a "fake invoice" that exploits the ALPC bug to install a backdoor with full system privileges.

With a fix for a zero day that is currently being exploited in the wild in addition to RCE vulnerabilities in .NET and Hyper-V, you'll definitely want to apply these patches as soon as you can.



September 2018 Adobe Flash Security Update
Remote Code Execution

.NET Framework Remote Code Execution Vulnerability
Remote Code Execution

Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2018-8367, CVE-2018-8465, CVE-2018-8466, CVE-2018-8467
Remote Code Execution

Internet Explorer Memory Corruption Vulnerability
CVE-2018-8447, CVE-2018-8461
Remote Code Execution

Microsoft Edge PDF Remote Code Execution Vulnerability
Remote Code Execution

MS XML Remote Code Execution Vulnerability
Remote Code Execution

Scripting Engine Memory Corruption Vulnerability
CVE-2018-8391, CVE-2018-8456, CVE-2018-8457, CVE-2018-8459
Remote Code Execution

Win32k Graphics Remote Code Execution Vulnerability
Remote Code Execution

Windows Hyper-V Remote Code Execution Vulnerability
CVE-2018-0965, CVE-2018-8439
Remote Code Execution

Windows Remote Code Execution Vulnerability
Remote Code Execution



Windows Denial of Service Vulnerability
Denial of Service

ASP.NET Core Denial of Service
Denial of Service

Device Guard Security Feature Bypass Vulnerability
Security Feature Bypass

DirectX Graphics Kernel Elevation of Privilege Vulnerability
Elevation of Privilege

Internet Explorer Security Feature Bypass Vulnerability
Security Feature Bypass

Microsoft Edge Elevation of Privilege Vulnerability
CVE-2018-8463, CVE-2018-8469
Elevation of Privilege

Microsoft Edge Information Disclosure Vulnerability
Information Disclosure

Microsoft Edge Spoofing Vulnerability

Microsoft Excel Information Disclosure Vulnerability
Information Disclosure

Microsoft Excel Remote Code Execution Vulnerability
Remote Code Execution

Microsoft Graphics Component Information Disclosure Vulnerability
Information Disclosure

Microsoft JET Database Engine Remote Code Execution Vulnerability
CVE-2018-8392, CVE-2018-8393, CVE-2018-8423
Remote Code Execution

Microsoft Office SharePoint XSS Vulnerability
Information Disclosure

Microsoft Scripting Engine Information Disclosure Vulnerability
Information Disclosure

Microsoft SharePoint Elevation of Privilege Vulnerability
CVE-2018-8428, CVE-2018-8431
Elevation of Privilege

OData Denial of Service Vulnerability
Denial of Service

Scripting Engine Information Disclosure Vulnerability
Information Disclosure

Scripting Engine Memory Corruption Vulnerability
Remote Code Execution

Windows ALPC Elevation of Privilege Vulnerability
Elevation of Privilege

Windows Elevation of Privilege Vulnerability
Elevation of Privilege

Windows GDI Information Disclosure Vulnerability
Information Disclosure

Windows Hyper-V Denial of Service Vulnerability
CVE-2018-8436, CVE-2018-8437, CVE-2018-8438
Denial of Service

Windows Hyper-V Information Disclosure Vulnerability
Information Disclosure

Windows Hyper-V Security Feature Bypass Vulnerability
Security Feature Bypass

Windows Information Disclosure Vulnerability
Information Disclosure

Windows Kernel Elevation of Privilege Vulnerability
Elevation of Privilege

Windows Kernel Information Disclosure Vulnerability
CVE-2018-8336, CVE-2018-8419, CVE-2018-8442, CVE-2018-8443, CVE-2018-8445, CVE-2018-8446
Information Disclosure

Windows Registry Elevation of Privilege Vulnerability
Elevation of Privilege

Windows SMB Denial of Service Vulnerability
Denial of Service

Windows SMB Information Disclosure Vulnerability
Information Disclosure

Windows Subsystem for Linux Elevation of Privilege Vulnerability
Elevation of Privilege

Windows Subsystem for Linux Security Feature Bypass Vulnerability
Security Feature Bypass

Word PDF Remote Code Execution Vulnerability
Remote Code Execution



Lync for Mac 2011 Security Feature Bypass Vulnerability
Elevation of Privilege

Latest SpiderLabs Blogs

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising

During an Advanced Continual Threat Hunt (ACTH) investigation that took place in early December 2023, Trustwave SpiderLabs discovered Ov3r_Stealer, an infostealer distributed using Facebook...

Read More