Microsoft released security patches for a slew of products today covering 61 vulnerabilities with 17 being rated critical focusing mainly on browsers, Windows and Office and it patched the ALPC zero-day that was reported last month.
All of the critical issues can lead to remote code execution if exploited, but the ALPC patch is probably the highest profile fix of the day as it is an elevation of privilege vulnerability that would “allow an attacker who successfully exploits this vulnerability could run arbitrary code in the context of the local system which pretty much gives them the run of the system,” said Chris Goettl, Ivanti’s director of product management for security.
The ALPC issue was almost immediately exploited with exploits coming days after it came to light.
“It didn't take long for malicious actors to incorporate this into real-world attacks, with users having no recourse until today's patches came out. Although an attacker would need to convince a user to download and open a specially crafted file to exploit this, if successful, they would be able to gain full system privileges,” said Greg Wiseman, Rapid7’s senior security researcher.
Goettle also called out CVE-2018-8409 and CVE-2018-8457 with the former being a Denial of Service Vulnerability in System.IO.Pipelines which could allow an attacker to cause a DoS against an application that is leveraging System.IO.Pipelines. This vulnerability can be exploited remotely, without authentication. The second is a memory corruption vulnerability in Microsoft’s Scripting Engine. An attacker could corrupt memory in such a way that they could execute arbitrary code in the context of the current user. The attacker would gain equal rights to the user context they exploit.
“A vulnerability (CVE-2018-8475) in Windows’ image parsing has been publicly disclosed, in addition to a vulnerability (CVE-2018-8457) in the Scripting Engine,” are worth extra-long look by admins said, Jimmy Graham, director of product management for Qualys.
Microsoft also released several patches to cover vulnerabilities in Adobe Flash Player and Cold Fusion.