Update now! Microsoft’s September 2018 Patch Tuesday is here

Patch Tuesday is upon Windows users once again, delivering fixes for 61 security flaws, including one confirmed zero day, several vulnerabilities in the public domain, and the now-standard Adobe Flash vulnerability to remind everyone they should stop using it.

There are several ways to cut every Patch Tuesday, but the headline vulnerabilities are usually the best place to start: 61 CVEs, 17 flaws rated as critical, and a flaw affecting Adobe Flash Player.

ALPC zero day

The standout this month is CVE-2018-8440, a system-compromising issue in the Windows Task Scheduler’s Advanced Local Procedure Call (ALPC) function, revealed on 27 August by someone on Twitter using the ID SandboxEscaper, complete with a GitHub proof-of-concept.

By early September an in-the-wild exploit had been spotted. Security company Acros Security quickly issued its own micropatch for the flaw, although only for Windows 10 64-bit version 1803.

A limitation is that the attacker would need to be logged in to the affected system locally but as that could easily happen using a malicious attachment, this one needs immediate attention.

Public flaws

According to Microsoft, three other flaws are in the public domain, with the biggie being CVE-2018-8475 – a critical-rated remote code execution (RCE) in the Windows Graphics Component that could allow an attacker to compromise a system simply by getting a user to view an image file.

Also in limbo are CVE-2018-8457, a critical-rated scripting engine memory corruption vulnerability, and CVE-2018-8409, a denial of service vulnerability in the System.IO.Pipelines rated one notch down at ‘important’. No exploits are known for these, but Microsoft has placed them in the ‘public’ category, which gives patching them added urgency.

Adobe Flash

It wouldn’t be Patch Tuesday without at least one Flash flaw and, sure enough, September delivers with ADV180023, aka CVE-2018-15967. It’s a patch for the important-rated Flash flaw identified as APSB18-31 affecting Adobe Flash Player plus the plug-ins for Chrome, Firefox, Edge, and IE11. There are doubtless good reasons why some people persevere with Flash, but the list is surely shrinking by the day, with most browsers now requiring users to manually enable its use.

Others to watch

  • CVE-2018-0965 – “a critical remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system.”
  • CVE-2018-8430 and CVE-2018-8331 – RCE flaws affecting Word and Excel respectively.

As for updates, Windows 10 users running the April 2018 Windows 10 update (17134.285) will be presented with KB4457128, while for those still on last year’s Fall Creators refresh (16299.665) it’s KB4457142.  For Windows 7, it’s KB4457144.

Still confused? SANS ISC publishes its own product breakdown on September’s flaws, which helpfully includes their CVSS scores.