Microsoft Patch Tuesday updates for September 2018 address 61 vulnerabilities in Internet Explorer (IE), Edge, ChakraCore, Azure, Hyper-V, Windows components, .NET Framework, SQL Server, and Microsoft Office and Office Services. Of the 62 CVEs.
17 flaws are rated as Critical, 43 are rated Important, and just one is rated as Moderate in severity.
The Microsoft Patch Tuesday updates for September 2018 includes the zero-day flaw recently disclosed by a researcher via Twitter.
The vulnerability was publicly disclosed on August 27 by the security expert “@SandboxEscaper,” the researcher also published the exploit code for the vulnerability.
The expert did not report the vulnerability to Microsoft before the public disclosure forcing the tech giant to rapidly prepare a patch.
The issue is a Windows zero-day privilege escalation vulnerability affecting Microsoft’s Windows Task Scheduler that could be exploited by a local attacker or malicious program to obtain system privileges on the vulnerable system.
The threat actor, tracked as PowerPool, leveraged the Windows zero-day exploit in targeted attacks against a small number of users located in the United States, the United Kingdom, Germany, Ukraine, Chile, India, Russia, the Philippines, and Poland.
According to ESET, attackers have modified the publicly available exploit source code and recompiled it.
Microsoft Patch Tuesday updates for September 2018 also addressed three vulnerabilities that were made public before fixes were released, but differently from the CVE-2018-8440 flaw they were not exploited in attacks.
The CVE-2018-8475 Windows Remote Code Execution flaw, rated as critical, exists because the operating system does not properly handle specially crafted image files. An attack could exploit the flaw to execute arbitrary code by tricking victims into downloading a specially crafted image file.
“A remote code execution vulnerability exists when Windows does not properly handle specially crafted image files. An attacker who successfully exploited the vulnerability could execute arbitrary code.” reads the advisory published by Microsoft.
“To exploit the vulnerability, an attacker would have to convince a user to download an image file. The update addresses the vulnerability by properly handling image files.”
The flaw is trivial to exploit, experts warn of possible exploitation in attacks in the next weeks.
“This CVE could allow an attacker to execute code on a target system just by convincing someone to view an image. That’s all the user interaction needed. Open the wrong image – even through a web browser – and code executes, making this a browse-and-own scenario.” reads a blog post published by Trend Micro’s Zero Day Initiative (ZDI).
“Microsoft provides no information on where this is public, but given the severity of the issue and the relative ease of exploitation, expect this one to find its way into exploit kits quickly,”
Another issue previously disclosed and addressed by Microsoft Patch Tuesday updates for September 2018 is the CVE-2018-8457.
The vulnerability affects Microsoft’s web browsers and could be exploited by an attacker to execute arbitrary code by tricking the victims into visiting a malicious website or opening a specially crafted Office document.
“A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” reads the advisory published by Microsoft.
“In a web-based attack scenario, an attacker could host a specially crafted website designed to exploit the vulnerability through a Microsoft browser and then convince a user to view the website. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the browser rendering engine.”
The third publicly disclosed vulnerability is a denial-of-service (DoS) flaw (CVE-2018-8409) rated as an “important” that affects .NET Core, ASP.NET Core and the System.IO.Pipelines component.
“A denial of service vulnerability exists when System.IO.Pipelines improperly handles requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an application that is leveraging System.IO.Pipelines. The vulnerability can be exploited remotely, without authentication.” reads the advisory.
“A remote unauthenticated attacker could exploit this vulnerability by providing specially crafted requests to the application.”
Microsoft also fixed the CVE-2018-0965 and CVE-2018-8439 flaws in the Windows Hyper-V, both could be exploited by an attacker with access to a guest virtual machine to execute code on the underlying operating system.
Adobe also fixed 10 vulnerabilities in Flash Player and ColdFusion, the good news is that none is severe.