security patch

October Patch Tuesday


Greg Wiseman, Senior Security Researcher at Rapid7:

“This month’s patches from Microsoft include fixes for 49 distinct vulnerabilities. One that’s already been exploited in the wild is CVE-2018-8453, a privilege escalation vulnerability allowing an attacker to gain full control over a system as long as they first have a way to execute code on the affected system (for example via a Remote Code Execution (RCE) vulnerability, which nearly half of this month’s flaws are).

Three other vulnerabilities are not yet known to be exploited, but have been publicly disclosed. CVE-2018-8497 is another elevation of privilege vulnerability affecting Windows 10 / Server 2016 and newer. CVE-2018-8423 is an RCE in Microsoft’s JET Database Engine and affects all supported versions of Windows. The third public vulnerability is another RCE, relevant to developers who build products using the Azure IoT Hub Device Client C# SDK.

As usual, most of the vulnerabilities this month affect browsers (IE and/or Edge). IE 11 in particular has two nasty RCEs, CVE-2018-8460 and CVE-2018-8491, which can both be exploited via browsing to a malicious web page. CVE-2018-8494 is a Critical RCE in MS XML, meaning browsers are a potential vector. Hyper-V also has two Critical RCEs; both CVE-2018-8489 and CVE-2018-8490 could allow a guest operating system to cause the host to execute arbitrary code.

Back-end administrators should take note of the updates for Exchange (resolving three vulnerabilities, two of which are RCE), SharePoint (resolving four elevation of privilege vulnerabilities) and SQL Server Management Studio (resolving three information disclosure vulnerabilities).

One last note: There are already patches for Windows 1809 and Windows Server 2019, both of which were only released for general availability last week with some users reporting data loss after updating, causing Microsoft to pause the rollout.”