This month’s Patch Tuesday addresses 62 vulnerabilities, with 12 of them labeled as Critical. Out of the Criticals, 8 are for the Chakra Scripting Engine used by Microsoft Edge. A Remote Code Execution vulnerability in Windows Deployment Services’ TFTP server is also addressed in this release. Adobe also patched three Important vulnerabilities this month, although there is a PoC exploit available for Adobe Acrobat and Reader.
Browser and Scripting Engine patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users. Out of the 12 Critical vulnerabilities, 10 can be exploited through browsers or opening malicious files.
Windows Deployment Services TFTP Server RCE
Microsoft’s Windows Deployment Services uses TFTP to support image deployment via PXE booting. A flaw was discovered in the TFTP server that allows Remote Code Execution on an affected device. The patch for CVE-2018-8476 should be prioritized if WDS is used in your environment.
Microsoft Dynamics 365 RCE
Web requests are not properly sanitized in version 8 of Microsoft Dynamics 365 on-prem. This vulnerability could lead to remote code execution in the context of the SQL user. Any on-prem deployments of Dynamics 365 should have CVE-2018-8609 prioritized.
Active Attacks on Win32k Privilege Escalation
Microsoft has reported that there are active attacks detected against CVE-2018-8589. The vulnerability impacts Windows 7 and Server 2008 and 2008 R2. Microsoft has ranked this patch as Important.
Last week, Microsoft released an advisory on using software encryption rather than hardware, which has recently been shown to be ineffective in certain implementations. In addition, an unrelated patch for Bitlocker (CVE-2018-8566) was issued today. This vulnerability allows an attacker to access encrypted data if they have physical access to the system. Microsoft has ranked this patch as Important.
Adobe Patches, NTLM hash leaking, mitigations
Adobe released three patches for Flash, Acrobat/Reader, and Photoshop, all labeled Important. The vulnerability in Acrobat and Reader has publicly available PoC code, and should be installed as soon as possible. This flaw can lead to the leaking of the user’s NTLM hash, which could be brute-forced to determine the user’s password. Adobe has also released a document discussing mitigations for this vulnerability, which includes enabling a feature in Windows 10 that would prevent this style of attack, by stopping NTLM SSO from being used by external resources.