Microsoft released fixes for over 60 CVEs yesterday as part of its monthly update round, three of which have been publicly disclosed and one which was being actively exploited in the wild.
CVE-2018-8440 is an Elevation of Privilege vulnerability in Windows Advanced Local Procedure Call (ALPC) which was disclosed by researcher and Twitter user @SandboxEscaper on August 27.
“It didn’t take long for malicious actors to incorporate this into real-world attacks, with users having no recourse until today’s patches came out,” explained rapid7 senior security researcher, Greg Wiseman. “Although an attacker would need to convince a user to download and open a specially crafted file to exploit this, if successful, they would be able to gain full system privileges.”
The remaining three publicly disclosed vulnerabilities are not currently being exploited in the wild but admins are encouraged to patch them.
“CVE-2018-8409 is a Denial of Service (DoS) vulnerability in System.IO.Pipelines which could allow an attacker to cause a DoS against an application that is leveraging System.IO.Pipelines. This vulnerability can be exploited remotely, without authentication,” explained Ivanti director of product management, Chris Goettl. “The challenge with this update is that you need to take the new versions of .NET Core 2.1 or ASP.NET Core 2.1 and implement the updated binaries into your application. It is not a simple patch that can be applied.”
CVE-2018-8475 is notable in being an RCE bug in Windows that could be “a very tempting vector for social engineering attacks,” according to Wiseman.
Finally, there’s CVE-2018-8457, a Memory Corruption vulnerability in Microsoft’s Scripting Engine.
“An attacker could corrupt memory in such a way that they could execute arbitrary code in the context of the current user. The attacker would gain equal rights to the user context they exploit. Least privilege will mitigate the impact if this vulnerability is successfully exploited,” explained Goettl.
“There are multiple user-targeted attack vectors that could be used to exploit this vulnerability, including web-based attack scenarios where specially created websites could host malicious content, as an embed in an ActiveX control marked ‘safe for initialization’ within an application or Office document.”
Adobe released a fix for just one CVE this week, an important vulnerability that could lead to privilege escalation.