September's Patch Tuesday is here with patches for 61 CVEs and two roll up patches, one for multiple Denial of Service vulnerabilities in Windows and one for the ever present Remote Code Execution (RCE) vulnerabilities in Adobe Flash. Across the patched CVEs, 17 are rated as "Critical", 43 are rated as "Important" and one is rated "Modera
The scripting engine used during web browsing is back with the majority of the "Critical" vulnerabilities. In addition there are patches for RCE vulnerabilities for .NET and Hyper-V server platforms. Since these services are often public facing, the risk of those vulnerabilities is higher than most. The last "Critical" vulnerability (CVE-2018-8475) affects all Windows platforms and is exploited via a malicious image file. All that would be necessary to exploit the vulnerability would be to convince a user to open the specially crafted image, whether it's embedded in a message, a document or a webpage.
On the list of "Important" vulnerabilities are dozens of Denial of Service and Information Disclosure vulnerabilities. The most important patch among the bunch, and probably the most important patch in this release, is a patch for a Privilege Escalation vulnerability in Windows Advanced Local Procedure Call (ALPC) as used by the Windows Task Scheduler. This vulnerability, issued CVE-2018-8440, allows an attacker to escalate any user account from limited privilege to full "Local System" rights, the highest privilege on any Windows system.
The reason why this vulnerability is so important is that security researcher "SandboxEscaper" got frustrated working with Microsoft on the disclosure process (and perhaps just frustrated with life in general) and they released the details of the vulnerability along with Proof of Concept code in an expletive filled tweet on August 27th. Thus a "Zero Day" was born.
Local Privilege Escalation vulnerabilities are often dismissed as less important since they require local access to a system, typically via a user targeted with a social engineering attack. Because of this additional step, even Microsoft rates such vulnerabilities as "Important" instead of "Critical". However, these types of vulnerabilities are often used by criminals to get their malware installed with "root" or "system" level access.
In fact this vulnerability proves that point well, since it took criminals only two days to weaponize this zero day as a part of a larger spam campaign. The PowerPool group started pushing out spam with a "fake invoice" that exploits the ALPC bug to install a backdoor with full system privileges.
With a fix for a zero day that is currently being exploited in the wild in addition to RCE vulnerabilities in .NET and Hyper-V, you'll definitely want to apply these patches as soon as you can.
Critical
September 2018 Adobe Flash Security Update
ADV180023
Remote Code Execution
.NET Framework Remote Code Execution Vulnerability
CVE-2018-8421
Remote Code Execution
Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2018-8367, CVE-2018-8465, CVE-2018-8466, CVE-2018-8467
Remote Code Execution
Internet Explorer Memory Corruption Vulnerability
CVE-2018-8447, CVE-2018-8461
Remote Code Execution
Microsoft Edge PDF Remote Code Execution Vulnerability
CVE-2018-8464
Remote Code Execution
MS XML Remote Code Execution Vulnerability
CVE-2018-8420
Remote Code Execution
Scripting Engine Memory Corruption Vulnerability
CVE-2018-8391, CVE-2018-8456, CVE-2018-8457, CVE-2018-8459
Remote Code Execution
Win32k Graphics Remote Code Execution Vulnerability
CVE-2018-8332
Remote Code Execution
Windows Hyper-V Remote Code Execution Vulnerability
CVE-2018-0965, CVE-2018-8439
Remote Code Execution
Windows Remote Code Execution Vulnerability
CVE-2018-8475
Remote Code Execution
Important
Windows Denial of Service Vulnerability
ADV180022
Denial of Service
ASP.NET Core Denial of Service
CVE-2018-8409
Denial of Service
Device Guard Security Feature Bypass Vulnerability
CVE-2018-8449
Security Feature Bypass
DirectX Graphics Kernel Elevation of Privilege Vulnerability
CVE-2018-8462
Elevation of Privilege
Internet Explorer Security Feature Bypass Vulnerability
CVE-2018-8470
Security Feature Bypass
Microsoft Edge Elevation of Privilege Vulnerability
CVE-2018-8463, CVE-2018-8469
Elevation of Privilege
Microsoft Edge Information Disclosure Vulnerability
CVE-2018-8366
Information Disclosure
Microsoft Edge Spoofing Vulnerability
CVE-2018-8425
Spoofing
Microsoft Excel Information Disclosure Vulnerability
CVE-2018-8429
Information Disclosure
Microsoft Excel Remote Code Execution Vulnerability
CVE-2018-8331
Remote Code Execution
Microsoft Graphics Component Information Disclosure Vulnerability
CVE-2018-8433
Information Disclosure
Microsoft JET Database Engine Remote Code Execution Vulnerability
CVE-2018-8392, CVE-2018-8393, CVE-2018-8423
Remote Code Execution
Microsoft Office SharePoint XSS Vulnerability
CVE-2018-8426
Information Disclosure
Microsoft Scripting Engine Information Disclosure Vulnerability
CVE-2018-8315
Information Disclosure
Microsoft SharePoint Elevation of Privilege Vulnerability
CVE-2018-8428, CVE-2018-8431
Elevation of Privilege
OData Denial of Service Vulnerability
CVE-2018-8269
Denial of Service
Scripting Engine Information Disclosure Vulnerability
CVE-2018-8452
Information Disclosure
Scripting Engine Memory Corruption Vulnerability
CVE-2018-8354
Remote Code Execution
Windows ALPC Elevation of Privilege Vulnerability
CVE-2018-8440
Elevation of Privilege
Windows Elevation of Privilege Vulnerability
CVE-2018-8468
Elevation of Privilege
Windows GDI Information Disclosure Vulnerability
CVE-2018-8424
Information Disclosure
Windows Hyper-V Denial of Service Vulnerability
CVE-2018-8436, CVE-2018-8437, CVE-2018-8438
Denial of Service
Windows Hyper-V Information Disclosure Vulnerability
CVE-2018-8434
Information Disclosure
Windows Hyper-V Security Feature Bypass Vulnerability
CVE-2018-8435
Security Feature Bypass
Windows Information Disclosure Vulnerability
CVE-2018-8271
Information Disclosure
Windows Kernel Elevation of Privilege Vulnerability
CVE-2018-8455
Elevation of Privilege
Windows Kernel Information Disclosure Vulnerability
CVE-2018-8336, CVE-2018-8419, CVE-2018-8442, CVE-2018-8443, CVE-2018-8445, CVE-2018-8446
Information Disclosure
Windows Registry Elevation of Privilege Vulnerability
CVE-2018-8410
Elevation of Privilege
Windows SMB Denial of Service Vulnerability
CVE-2018-8335
Denial of Service
Windows SMB Information Disclosure Vulnerability
CVE-2018-8444
Information Disclosure
Windows Subsystem for Linux Elevation of Privilege Vulnerability
CVE-2018-8441
Elevation of Privilege
Windows Subsystem for Linux Security Feature Bypass Vulnerability
CVE-2018-8337
Security Feature Bypass
Word PDF Remote Code Execution Vulnerability
CVE-2018-8430
Remote Code Execution
Moderate
Lync for Mac 2011 Security Feature Bypass Vulnerability
CVE-2018-8474
Elevation of Privilege