Today, Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month’s advisory release addresses 62 new vulnerabilities, with 17 of them rated critical, 43 are rated Important, one is listed as Moderate in severity. These vulnerabilities impact Microsoft Windows, Internet Explorer, Microsoft Edge, Microsoft Office and Microsoft Office Services and Web Apps, ChakraCore, .NET Framework, Microsoft.Data.OData, ASP.NET, Adobe Flash player and Re-release of Exchange 2010 update from May.


In-the-wild

CVE-2018-8440 – The vulnerability was dropped on twitter dead open by and since then there have been reports of it being exploited. The flawed Advanced Local Procedure Call (ALPC) function of the Windows Task scheduler allows an attacker or a malware with access or presence in the system to gain system level privileges.


Publicly disclosed vulnerabilities

1) CVE-2018-8475 – A critical remote code execution flaw exists in all the versions of Windows due to the way Windows handles specially crafted image files. To exploit this flaw, attackers need to convince users to open up an image.

2) CVE-2018-8457 – A remote user will be able to execute arbitrary code in the context of current user due to scripting engine failing to handle objects in the memory.

3) CVE-2018-8409 – A denial of service flaw exists in System.IO.Pipelines of .NET core.


Few other critical vulnerabilities

1) CVE-2018-8465 – This vulnerability in Chakra scripting engine of Microsoft Edge could allow malicious web sites to execute code under the privileges of current user.

2) CVE-2018-8420 – A flaw in Microsoft XML Core Services could allow attackers to perform remote code execution.

3) CVE-2018-8332 – This flaw in Win32k Graphics in Windows versions from Windows 10 through Windows Server could allow an attacker to create malicious font which on viewing could cause remote code execution.

4) CVE-2018-8391 – This flaw in Chakra scripting engine in Microsoft Edge could allow a malicious web site to perform remote code execution.

5) CVE-2018-8464 – This flaw in Microsoft Edge could allow a malicious PDF to execute code on a vulnerable machine.


September 2018 patch Tuesday release consists of security updates for the following softwares:

  • Microsoft Windows
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Microsoft Scripting Engine
  • Adobe Flash player
  • ASP.NET
  • .NET Framework
  • Microsoft.Data.OData
  • Re-release of Exchange 2010 update from May

Microsoft security bulletin summary for September 2018:

Product : Adobe Flash Player
CVE’s/Advisory : ADV180023
Severity : Important
Impact : Information Disclosure
KB’s : 4457146


Product : Internet Explorer
CVE’s/Advisory : CVE-2018-8315, CVE-2018-8447, CVE-2018-8452, CVE-2018-8457, CVE-2018-8461, CVE-2018-8470
Severity : Critical
Impact : Remote Code Execution, Information Disclosure, Security Feature Bypass
KB’s : 4457128, 4457129, 4457131, 4457132, 4457135, 4457138, 4457142, 4457144, 4457426, 4458010


Product : Microsoft Edge
CVE’s/Advisory : CVE-2018-8315, CVE-2018-8354, CVE-2018-8366, CVE-2018-8367, CVE-2018-8425, CVE-2018-8452, CVE-2018-8456, CVE-2018-8457, CVE-2018-8459, CVE-2018-8463, CVE-2018-8464, CVE-2018-8465, CVE-2018-8466, CVE-2018-8467, CVE-2018-8469
Severity : Critical
Impact : Remote Code Execution, Information Disclosure, Elevation of Privilege, Spoofing
KB’s : 4457128, 4457131, 4457132, 4457138, 4457142


Product : Microsoft Visual Studio and .NET Framework
CVE’s/Advisory : CVE-2018-8269, CVE-2018-8409, CVE-2018-8421, CVE-2018-8479
Severity : Critical
Impact : Remote Code Execution, Denial of Service, Spoofing
KB’s : 4457025, 4457026, 4457027, 4457028, 4457029, 4457030, 4457033, 4457034, 4457035, 4457036, 4457037, 4457038, 4457042, 4457043, 4457044, 4457045, 4457053, 4457054, 4457055, 4457056, 4457128, 4457131, 4457132, 4457138, 4457142


Product : ChakraCore
CVE’s/Advisory : CVE-2018-8315, CVE-2018-8354, CVE-2018-8367, CVE-2018-8391, CVE-2018-8452, CVE-2018-8456, CVE-2018-8459, CVE-2018-8465, CVE-2018-8466, CVE-2018-8467
Severity : Critical
Impact : Remote Code Execution, Information Disclosure


Product : Microsoft Office
CVE’s/Advisory : CVE-2018-8331, CVE-2018-8332, CVE-2018-8426, CVE-2018-8428, CVE-2018-8429, CVE-2018-8430, CVE-2018-8431, CVE-2018-8474
Severity : Critical
Impact : Elevation of Privilege, Impact, Information Disclosure, Remote Code Execution, Security Feature Bypass
KB’s : 4022207, 4032246, 4092447, 4092459, 4092460, 4092466, 4092467, 4092470, 4092479, 4227175


Product : Microsoft Windows
CVE’s/Advisory : CVE-2018-0965, CVE-2018-8271, CVE-2018-8332, CVE-2018-8335, CVE-2018-8336, CVE-2018-8337, CVE-2018-8392, CVE-2018-8393, CVE-2018-8410, CVE-2018-8419, CVE-2018-8420, CVE-2018-8422, CVE-2018-8424, CVE-2018-8433, CVE-2018-8434, CVE-2018-8435, CVE-2018-8436, CVE-2018-8437, CVE-2018-8438, CVE-2018-8439, CVE-2018-8440, CVE-2018-8441, CVE-2018-8442, CVE-2018-8443, CVE-2018-8444, CVE-2018-8445, CVE-2018-8446, CVE-2018-8449, CVE-2018-8455, CVE-2018-8462, CVE-2018-8468, CVE-2018-8475
Severity : Critical
Impact : Denial of Service, Elevation of Privilege, Impact, Information Disclosure, Remote Code Execution, Security Feature Bypass
KB’s : 4457128, 4457129, 4457131, 4457132, 4457135, 4457138, 4457140, 4457142, 4457143, 4457144, 4457145, 4457984, 4458010


SecPod Saner detects these vulnerabilities and automatically fixes it by applying security updates. Download Saner now and keep your systems updated and secure.


Summary
Patch Tuesday: Microsoft Security Bulletin Summary for September 2018
Article Name
Patch Tuesday: Microsoft Security Bulletin Summary for September 2018
Author
Publisher Name
SecPod Technologies
Publisher Logo
Loading Facebook Comments ...

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>