In this month’s Patch Tuesday release there are 61 vulnerabilities patched with 17 Criticals. Out of the criticals, most are browser-related, with the rest including Windows, Hyper-V, and .net Framework. A vulnerability (CVE-2018-8475) in Windows’ image parsing has been publicly disclosed, in addition to a vulnerability (CVE-2018-8457) in the Scripting Engine.
Browser and Scripting Engine patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. The PDF viewer, Windows image parsing, .net Framework, and Windows font library also have patches available that require a user to interact with a malicious site or file. With two of these vulnerabilities being publicly disclosed, it is important to prioritize Windows workstation patching.
Hyper-V Hypervisor Escape
Two remote code execution vulnerabilities are patched in Hyper-V that would allow an authenticated user on a guest system to run arbitrary code on the host system. Microsoft notes that exploitation of this vulnerability is less likely, but these patches should still be prioritized for Hyper-V systems.
While this vulnerability has not been patched, Microsoft has issued guidance for the FragmentSmack vulnerability which is a denial-of-service against the IP stack.
The 0-day mentioned in yesterday’s blog has been patched in this month’s release. The vulnerability results in local privilege escalation, and active attacks using the vulnerability have been found in the wild.
Adobe has released patches for Flash and Coldfusion. While Adobe lists CVE-2018-15967 as an “Important” privilege escalation against Flash, Microsoft lists this vulnerability as Critical and Remote Code Execution. For the Coldfusion patches, 9 CVEs are covered, with 6 if them labeled as Critical. In late August, Adobe also released out-of-band patches for Adobe Photoshop CC and Creative Cloud. Two Photoshop CVEs are listed as Critical, and one Creative Cloud vulnerability is labeled Important.