Microsoft and Abode have issued their monthly collection of software patches and, as ever, both contain fixes that deserve swift attention.
The first on an infosec team’s to-do list may well be CVE-2018-8440, which Microsoft has described as “An elevation of privilege vulnerability” that manifests when “Windows improperly handles calls to Advanced Local Procedure Call".
“An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
The news isn’t all bad, as “To exploit this vulnerability, an attacker would first have to log on to the system”. But once logged in, the “attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system".
Microsoft has also advised of an as-yet-unpatched problem dubbed “FragmentSmack" that could see an attacker “send many 8-byte sized IP fragments with random starting offsets, but withhold the last fragment and exploit the worst-case complexity of linked lists in reassembling IP fragments.”
“A system under attack would become unresponsive with 100% CPU utilisation but would recover as soon as the attack terminated.”
Other fixes address issues with:
- Internet Explorer
- Microsoft Edge
- Microsoft Windows
- Microsoft Office and Microsoft Office Services and Web Apps
- Adobe Flash Player
- .NET Framework
Seventeen of the fixes are rated critical because they can allow code execution. Among those flaws is one that impacts and allows arbitrary code execution. Microsoft may not mind CVE-2018-8336, because while it allows unauthorised parties to take over Windows Server 2008 and Windows 7, Microsoft is trying to hustle users off those old platforms anyway!
Five updates improve security in Microsoft’s Edge and Internet Explorer browsers. Three fix flaws in Windows Server 2008 on Itanium, the seldom-used HPE/Intel silicon collaboration that utterly failed to excite enterprise buyers.
The full list of patches Microsoft patches can be found here.
Adobe’s also issued its monthly patches. Readers will not be surprised to learn that the ever-porous Flash Player has a problem that could "lead to information disclosure." Adobe’s other patches address a ColdFusion issue “that could lead to arbitrary code execution.”