September 2018 Patch Tuesday: Microsoft fixes actively exploited zero-day
Microsoft’s September 2018 Patch Tuesday has brought fixes for a little over 60 security vulnerabilities, 17 of which are critical and one is being actively exploited in the wild.
The software giant has also released two advisories: one detailing the vulnerabilities it plugged in Adobe Flash and the other announcing that the company is still working on an update for CVE-2018-5391, a Windows denial of service vulnerability against the IP stack dubbed “FragmentSmack”. (The advisory contains some workarounds).
Patches to prioritize
As mentioned before, one of the patched flaws is being exploited by attackers.
CVE-2018-8440, a local privilege escalation vulnerability that arises when Windows incorrectly handles calls to the Advanced Local Procedure Call (ALPC) interface, was revealed publicly in late August. The researcher who found it also published PoC exploit code for it, and it didn’t take long for attackers to take advantage of it, making this is one patch a priority for everyone.
Another patch that should be prioritized is that for CVE-2018-8475, a critical Windows remote code execution vulnerability that allows attackers to execute code simply by convincing the target to view an image with malicious code.
“Open the wrong image – even through a web browser – and code executes, making this a browse-and-own scenario,” Trend Micro Zero Day Initiative’s Dustin Childs pointed out. “Microsoft provides no information on where this is public, but given the severity of the issue and the relative ease of exploitation, expect this one to find its way into exploit kits quickly.”
CVE-2018-8449 is a security feature bypass that makes Device Guard incorrectly validate an unsigned file. “Because Device Guard relies on the signature to determine the file is non-malicious, Device Guard could then allow a malicious file to execute,” Microsoft noted. Needless to say, this one can come in handy to malware peddlers and other attackers.
Jimmy Graham, Director of Product Management at Qualys, says that the browser and Scripting Engine patches should be prioritized for workstation-type devices.
“The PDF viewer, Windows image parsing, .net Framework, and Windows font library also have patches available that require a user to interact with a malicious site or file. With two of these vulnerabilities being publicly disclosed, it is important to prioritize Windows workstation patching.”
Patches for Hyper-V systems should also be quickly implemented, as they bring fixes for two remote code execution vulnerabilities.
“For both cases, a user on a guest virtual machine could execute code on the underlying hypervisor OS,” Childs explained. “The root cause for both of these bugs goes back to the failure to properly validate user input. Although titled as ‘remote code execution,’ these bugs require an attacker to execute code on the guest OS. If an attacker (or malware) does have the ability to run programs, their code executes on the hypervisor – potentially impacting other guest OSes.”