October’s Patch Tuesday proved to be another big month for Microsoft which addressed 49 vulnerabilities, 12 critical, including a zero-day in the Microsoft JET database engine.
The number of vulnerabilities patched this month is down from the 61 covered in September, but industry insiders were still able to point out some severe problems that were fixed with this update. The critical rated vulnerabilities for the month were CVE-2018-8473, CVE-2018-8460, CVE-2018-8489, CVE-2018-8490, CVE-2018-8491, CVE-2018-8494, CVE-2018-8500, CVE-2018-8505, CVE-2018-8509, CVE-2018-8510, CVE-2018-8511 and CVE-2018-8513.
However, most of the flaws picked by those who spoke to SC Media were not rated critical, but still considered important enough to be singled out.
Glen Pendley, Tenable’s deputy CTO, told SC Media his number one pick for the month was the previously reported Microsoft JET Database Engine, CVE-2018-8423, that was originally disclosed last month along with a sample exploit code so he said its important to update immediately. The vulnerability allows an attacker to send a user a specially crafted malicious file that, when opened, can cause the JET engine to execute an out-of-bounds write allowing for remote code execution.
“The JET Database Engine software is ubiquitous. It’s shipped on all Windows machines and is leveraged by a number of applications, including Microsoft Office. Needless to say, a remote code execution flaw with a known public exploit should be prioritized and patched as soon as possible," Pendley said.
The zero-day is a Win32k Elevation of Privilege vulnerability, CVE-2018-8453, was called out by Chris Goettl, Invanti’s director of product management, security, as major because it is present in all operating systems with updates this month from Server 2008 through Windows 10.
“This vulnerability exists in the Win32 component of the operating system and fails to properly handle objects in memory. An attacker first needs to log into the operating system, but then can exploit this vulnerability to run code in the kernel and gain administrator privileges,” Goettl said.
The memory corruption vulnerabilities in the ChakraCore Scripting Engine, and Internet Explorer 11 (CVE-2018-8473 & CVE-2018-8460) said Allan Liska, threat intelligence analyst from Recorded Future.
“This is a relatively easy to exploit remote code exploitation vulnerability, similar to those announced in June and August of this year. The vulnerability allows attackers to create specially crafted websites that will exploit users with unpatched browsers and load malicious code, known as loaders, into memory which are used to install more malicious implants,” he said.
Animesh Jain, Qualys’ product manager for VM Signatures, singled out several remote code execution vulnerabilities that which admins should take note. He described CVE-2018-8489 and CVE-2018-8490 in Hyper-V Hypervisor Escape as less likely to be exploited, but if so could allow an authenticated user on a guest system to run arbitrary code on the host system so they should be prioritized. CVE-2010-3190 is a remote code execution code vulnerability exists in the way certain applications built using Microsoft Foundation Classes (MFC) handle the loading of DLL files. The patch corrects how applications built using Microsoft Foundation Classes load DLL files.