Microsoft Releases Updates for 17 Vulnerabilities

3 Min Read

Microsoft released its latest Patch update for September 2018, patching a total of 61 security vulnerabilities. 17 of them are rated as critical, while 43 are rated Important, and one Moderate in severity.

Four of these vulnerabilities patched by the Microsoft this month have been listed as public, and likely are being exploited in the wild at the time of release.

CVE-2018-8475: Windows Critical RCE Vulnerability

One of the four critical vulnerabilities is a remote code execution flaw (CVE-2018-8475) in Microsoft Windows and affects all versions of Windows operating system, including Windows 10.

The Windows RCE vulnerability is exploitable through the way in which Windows handles specially crafted image files. To execute the code on a target system, all a attacker needs to do is just convince a victim to view an image.

CVE-2018-8440: Windows ALPC Elevation of Privilege Vulnerability

The latest patch also addresses an “important” zero-day vulnerability in Windows Advanced Local Procedure Call (ALPC) that was publicly disclosed on Twitter  not long time ago.

If exploited, the CVE-2018-8440 could allow a local attacker or malicious program to gain and run code with system privileges on the targeted machines.

According to Microsoft, this exploit is being exploited in the wild and requires immediate Windows OS update. The proof-of-concept (PoC) of this exploit is available on Github.

CVE-2018-8457: Scripting Engine Memory Corruption Vulnerability

CVE-2018-8457 is a remote code execution vulnerability in the scripting engine, which exists when the scripting engine fails to properly handle objects in memory in Microsoft browsers, allowing an remote attacker to execute code on a targeted system “in-the-name” of the currently logged-in user.

Two Windows Hyper-V Remote Code Execution Vulnerabilities

Both the CVE-2018-0965 and CVE-2018-8439 exist when Windows Hyper-V on a host server fails to validate input from an authenticated user on a guest operating system.

Both vulnerabilities can be exploited by a attacker posing as a guest user by running a specially crafted application on the virtual system to execute arbitrary code on the host system.

Patch All Of Them!

Other than this, Microsoft has additionally pushed security updates to fix a basic remote code execution weakness in Flash Player.  Adobe has labeled this priviledge escalation vulnerability CVE-2018-15967 as essential, while Microsoft checked it as a basic remote code execution defect.

Everyone is  encouraged to apply all security fixes as quickly as it is possible in order to prevent cybercriminals from taking control of their systems.

For introducing security updates, straightforwardly go to Settings → Update and security → Windows Update → Check for updates, or you can introduce the updates manually.

Share This Article
Leave a comment