Patch Tuesday: Microsoft plugs zero-day hole exploited by PowerPool
Cyber Security

Patch Tuesday: Microsoft plugs zero-day hole exploited by PowerPool

Microsoft’s Patch Tuesday this month is addressing 61 security flaws in Windows and other software, notably in web browsers Internet Explorer and Edge, as well as in Office, Sharepoint, Hyper-V, and the .NET Framework. Seventeen of the updates are rated as critical, as neatly summarized in this table by the SANS Technology Institute.

Importantly, this update round includes a fix for an important-rated vulnerability in the Windows 7 to 10 operating systems that ESET researchers spotted as being exploited in the wild by a newly-uncovered group called PowerPool only two days after the flaw was publicized via a (now deleted) post on Twitter. The zero-day bug, tracked under CVE-2018-8440, enables a restricted Windows user to obtain administrative rights on the unpatched system.

In addition, this month’s offering addresses three more vulnerabilities that surfaced prior to Tuesday, but aren’t known to have been under attack. Beyond CVE-2018-8409, a denial-of-service vulnerability in System.IO.Pipelines that is rated as “important”, two publicly known bugs received the “critical” rating:

The first of them, CVE-2018-8457, is a remote code execution flaw that, according to Microsoft’s advisory, lies in “the way the scripting engine handles objects in memory in Microsoft browsers”. This flaw could be exploited by a threat actor to lure the victims to visit a malicious website via a Microsoft web browser. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” said the technology giant.

The other critical and previously disclosed vulnerability, CVE-2018-8475, is a remote code execution vulnerability in Windows that occurs due to the systems’ improper handling of specially crafted image files. An attack could exploit the security hole to execute arbitrary code by tricking victims into loading a malicious image file.

Meanwhile, Adobe has given a bit of a patch party of its own, although in this case the tally is noticeably lower. The company’s update round this month includes nine fixes for ColdFusion, specifically versions 2018, 2016 and 11 of this web application development platform. This encompasses six updates rated as critical, five of which could allow attackers to run arbitrary code on the targeted system.

Adobe has also pushed out one update for Adobe Flash Player for Windows, macOS, Linux and Chrome operating systems. This privilege-escalation flaw is rated as “important“ and its successful exploitation could lead to information disclosure, said the company.





Articles You May Like

Hackers Win $105,000 for Reporting Critical Security Flaws in Sonos One Speakers
NXP unveils its latest processor, the i.MX 91, during Computex
No one has done AR or VR well. Can Apple?
Serious Security: Verification is vital – examining an OAUTH login bug
Danni Brooke to Spotlight the Role of Women in Cyber at Infosecurity Europe 2023

Leave a Reply

Your email address will not be published. Required fields are marked *