Microsoft patches 17 critical flaws

Microsoft has released its September Patch Tuesday updates with fixes for 61 flaws as well as updates for flaws affecting Adobe’s Flash Player. 

The updates include security fixes for Internet Explorer, Edge, Windows, Office, ChakraCore, Hyper-V, the .NET framework, and ASP .NET. Of the 61 flaws addressed, 17 are critical, 43 are rated as important and one is moderate. 

As noted by the Zero Day Initiative, four flaws addressed in this update have been made public, while a Windows Advanced Local Procedure Call (ALPC) elevation of privilege is being exploited already

A proof of concept exploit for the ALPC issue, which affects Windows Task Scheduler, was published by a security researcher in late August and within days hackers had adapted it for real-world attacks. The bug has been tagged as CVE-2018-8440.   

Also of note are two bugs — CVE-2018-0965 and CVE-2018-8439 — which affect Windows Hyper-V that allow a users on a guest virtual machine to execute code on the underlying hypervisor OS.  

Meanwhile, a critical Win32k graphics remote code execution flaw in the Windows font library may be exploited using specially crafted embedded fonts. The bug affects Office 2016 for Windows and Mac, as well as Windows 10, 7, and 8.1, and Windows Server.  

Microsoft has also warned that two critical remote code execution flaws affecting its Edge browser are likely to be exploited, as is a remotely exploitable flaw affecting Windows due to a bug in the Microsoft XML Core Services, which could allow a remote attacker to take control of the user’s system.

Details about a critical remote code execution flaw affecting Internet Explorer 11 and Edge have been publicly disclosed. Another critical flaw affecting Internet Explorer 11 should also be addressed quickly. If exploited, the flaw could give an attacker the same user rights as the user and if the user is logged in as administrator, the attacker could take control of the system and then install programs, modify or delete data, and create new accounts with full user rights. 

Adobe’s fixes for Flash Player address a single privilege escalation vulnerability with an important rating. Version 30.0.0.154 and earlier are affected. 

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
CSO WANTED
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags MicrosoftadobeInternet ExplorerWindowsofficehyper-vedge

More about AdobeAdvancedMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts