Patch Tuesday saw Microsoft address 61 security flaws in Windows

Patch Tuesday: Microsoft plugs zero-day hole exploited by PowerPool

Microsoft and Adobe have each shipped out their scheduled batches of patches to address security flaws in their respective software

Microsoft and Adobe have each shipped out their scheduled batches of patches to address security flaws in their respective software

Microsoft’s Patch Tuesday this month is addressing 61 security flaws in Windows and other software, notably in web browsers Internet Explorer and Edge, as well as in Office, Sharepoint, Hyper-V, and the .NET Framework. Seventeen of the updates are rated as critical, as neatly summarized in this table by the SANS Technology Institute.

Importantly, this update round includes a fix for an important-rated vulnerability in the Windows 7 to 10 operating systems that ESET researchers spotted as being exploited in the wild by a newly-uncovered group called PowerPool only two days after the flaw was publicized via a (now deleted) post on Twitter. The zero-day bug, tracked under CVE-2018-8440, enables a restricted Windows user to obtain administrative rights on the unpatched system.

In addition, this month’s offering addresses three more vulnerabilities that surfaced prior to Tuesday, but aren’t known to have been under attack. Beyond CVE-2018-8409, a denial-of-service vulnerability in System.IO.Pipelines that is rated as “important”, two publicly known bugs received the “critical” rating:

The first of them, CVE-2018-8457, is a remote code execution flaw that, according to Microsoft’s advisory, lies in “the way the scripting engine handles objects in memory in Microsoft browsers”. This flaw could be exploited by a threat actor to lure the victims to visit a malicious website via a Microsoft web browser. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” said the technology giant.

The other critical and previously disclosed vulnerability, CVE-2018-8475, is a remote code execution vulnerability in Windows that occurs due to the systems’ improper handling of specially crafted image files. An attack could exploit the security hole to execute arbitrary code by tricking victims into loading a malicious image file.

Meanwhile, Adobe has given a bit of a patch party of its own, although in this case the tally is noticeably lower. The company’s update round this month includes nine fixes for ColdFusion, specifically versions 2018, 2016 and 11 of this web application development platform. This encompasses six updates rated as critical, five of which could allow attackers to run arbitrary code on the targeted system.

Adobe has also pushed out one update for Adobe Flash Player for Windows, macOS, Linux and Chrome operating systems. This privilege-escalation flaw is rated as “important“ and its successful exploitation could lead to information disclosure, said the company.

Discussion