8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.7 High
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:S/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.9%
Times to gear up your systems and software.
Just a few minutes ago Microsoft released its latest monthly Patch Tuesday update for September 2018, patching a total of 61 security vulnerabilities, 17 of which are rated as critical, 43 are rated Important, and one Moderate in severity.
This monthâs security updates patch vulnerabilities in Microsoft Windows, Edge, Internet Explorer, MS Office, ChakraCore, .NET Framework, Microsoft.Data.OData, ASP.NET, and more.
Four of the security vulnerabilities patched by the tech giant this month have been listed as âpublicly knownâ and more likely exploited in the wild at the time of release.
One of the four publicly disclosed vulnerabilities is a critical remote code execution flaw (CVE-2018-8475) in Microsoft Windows and affects all versions Windows operating system, including Windows 10.
The Windows RCE vulnerability resides in the way Windows handles specially crafted image files. To execute malicious code on a target system, all a remote attacker needs to do is just convince a victim to view an image.
Given its severity and easiness of exploitation, you can expect an exploit targeting Windows users in coming days.
The latest patch update also addresses an âimportantâ zero-day vulnerability in Windows Advanced Local Procedure Call (ALPC) that was publicly disclosed last week on Twitter.
If exploited, the flaw (CVE-2018-8440) could allow a local attacker or malicious program to gain and run code with administrative system privileges on the targeted machines.
According to Microsoft, the flaw is actively being exploited in the wild and requires immediate attention. The proof-of-concept (PoC) exploit for this privilege escalation flaw in Windows is available on Github.
Another publicly disclosed flaw is a remote code execution vulnerability (CVE-2018-8457) in the scripting engine, which exists when the scripting engine fails to properly handle objects in memory in Microsoft browsers, allowing an unauthenticated, remote attacker to execute arbitrary code on a targeted system in the context of the currently logged-in user.
> âIf the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system,â Microsoft explains.
âAn attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.â
The vulnerability affects Microsoft Edge, Internet Explorer 11 and Internet Explorer 10.
This month patch update also includes patches for two critical remote code execution vulnerabilities in Windows Hyper-V, a native hypervisor for running virtual machines on Windows servers.
Both the flaws (CVE-2018-0965 and CVE-2018-8439) exist when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system.
Both RCE vulnerabilities can be exploited by a malicious guest user by running a specially crafted application on the virtual operating system to eventually execute arbitrary code on the host operating system.
Besides this, Microsoft has also pushed security updates to patch a critical remote code execution vulnerability in Adobe Flash Player, details of which you can get through a separate article posted today.
Adobe has labeled the same privilege escalation vulnerability (CVE-2018-15967) as important, while Microsoft marked it as a critical remote code execution flaw.
Users are strongly advised to apply all security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers.
For installing security updates, directly head on to Settings â Update & security â Windows Update â Check for updates, or you can install the updates manually.
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.7 High
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:S/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.9%