Posted: 21 Min Read Threat Intelligence

Microsoft Patch Tuesday – September 2018

This month the vendor has patched 61 vulnerabilities, 17 of which are rated Critical.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the September 2018 releases can be found here:
https://portal.msrc.microsoft.com/en-us/security-guidance

This month's update covers vulnerabilities in:

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Office
  • .NET Framework
  • Microsoft Windows
  • Device Guard Code
  • Hyper-V
  • JET Database Engine
  • Azure IoT SDK
  • Lync for Mac
  • ChakraCore


The following is a breakdown of the issues being addressed this month:

  1. Cumulative Security Update for Microsoft Browsers

    Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8367) MS Rating: Critical

    A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

     

    Scripting Engine Memory Corruption Vulnerability (CVE-2018-8391) MS Rating: Critical

    A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

     

    Internet Explorer Memory Corruption Vulnerability (CVE-2018-8447) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

     

    Scripting Engine Memory Corruption Vulnerability (CVE-2018-8456) MS Rating: Critical

    A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

     

    Scripting Engine Memory Corruption Vulnerability (CVE-2018-8457) MS Rating: Critical

    A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

     

    Scripting Engine Memory Corruption Vulnerability (CVE-2018-8459) MS Rating: Critical

    A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

     

    Internet Explorer Memory Corruption Vulnerability (CVE-2018-8461) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

     

    Microsoft Edge PDF Remote Code Execution Vulnerability (CVE-2018-8464) MS Rating: Critical

    An remote code execution vulnerability exists when Microsoft Edge PDF Reader improperly handles objects in memory. The vulnerability could corrupt memory in such a way that enables an attacker to execute arbitrary code in the context of the current user.

     

    Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8465) MS Rating: Critical

    A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

     

    Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8466) MS Rating: Critical

    A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

     

    Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8467) MS Rating: Critical

    A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

     

    Microsoft Browsers Information Disclosure Vulnerability (CVE-2018-8315) MS Rating: Important

    An information disclosure vulnerability exists when the browser scripting engine improperly handle object types. An attacker who has successfully exploited this vulnerability might be able to read privileged data across trust boundaries.

     

    Scripting Engine Memory Corruption Vulnerability (CVE-2018-8354) MS Rating: Important

    A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

     

    Microsoft Edge Information Disclosure Vulnerability (CVE-2018-8366) MS Rating: Important

    An information disclosure vulnerability exists when the Microsoft Edge Fetch API incorrectly handles a filtered response type. An attacker could use the vulnerability to read the URL of a cross-origin request. Websites that that do not securely populate the URL with confidential information could allow information to be disclosed to an attacker.

     

    Microsoft Edge Spoofing Vulnerability (CVE-2018-8425) MS Rating: Important

    A spoofing vulnerability exists when Microsoft Edge improperly handles specific HTML content. An attacker who successfully exploited this vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.

     

    Microsoft Browser Information Disclosure Vulnerability (CVE-2018-8452) MS Rating: Important

    An information disclosure vulnerability exists when the scripting engine does not properly handle objects in memory in Microsoft browsers. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user's system.

     

    Microsoft Edge Elevation of Privilege Vulnerability (CVE-2018-8463) MS Rating: Important

    An elevation of privilege vulnerability exists in Microsoft Edge that could allow an attacker to escape from the AppContainer sandbox in the browser. An attacker who successfully exploited this vulnerability could gain elevated privileges and break out of the Edge AppContainer sandbox.

     

    Microsoft Edge Elevation of Privilege Vulnerability (CVE-2018-8469) MS Rating: Important

    An elevation of privilege vulnerability exists in Microsoft Edge that could allow an attacker to escape from the AppContainer sandbox in the browser. An attacker who successfully exploited this vulnerability could gain elevated privileges and break out of the Edge AppContainer sandbox.

     

    Internet Explorer Elevation of Privilege Vulnerability (CVE-2018-8470) MS Rating: Important

    A Security Seature Bypass vulnerability exists in Internet Explorer due to how scripts are handled that allows a universal cross-site scripting (UXSS) condition. An attacker could use the UXSS vulnerability to access any session belonging to web pages currently opened (or cached) by the browser at the time the attack is triggered.

     

  2. Cumulative Security Update for Microsoft Office

    Microsoft Excel Remote Code Execution Vulnerability (CVE-2018-8331) MS Rating: Important

    A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.

     

    Microsoft Office SharePoint XSS Vulnerability (CVE-2018-8426) MS Rating: Important

    A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server.

     

    Microsoft SharePoint Elevation of Privilege Vulnerability (CVE-2018-8428) MS Rating: Important

    An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server.

     

    Word PDF Remote Code Execution Vulnerability (CVE-2018-8430) MS Rating: Important

    A remote code execution vulnerability exists in Microsoft Word 2013 and Microsoft Word 2016 if a user opens a specially crafted PDF file. An attacker who successfully exploited the vulnerability could cause arbitrary code to execute in the context of the current user. To exploit the vulnerability, an attacker must entice the user to open a specially crafted PDF file.

     

    Microsoft Excel Information Disclosure Vulnerability (CVE-2018-8429) MS Rating: Important

    An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory. An attacker who exploited the vulnerability could access information previously deleted from the active worksheet. To exploit the vulnerability, an attacker could craft a special document file and then convince the user to open it.

     

    Microsoft SharePoint Elevation of Privilege Vulnerability (CVE-2018-8431) MS Rating: Important

    An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server.

     

  3. Cumulative Security Update for Microsoft .NET Framework

    .NET Framework Remote Code Execution Vulnerability (CVE-2018-8421) MS Rating: Critical

    A remote code execution vulnerability exists when Microsoft .NET Framework processes untrusted input. An attacker can exploit this vulnerability using the .NET framework to take control of an affected system.

     

    ASP.NET Core Denial of Service (CVE-2018-8409) MS Rating: Important

    A denial of service vulnerability exists when ASP.NET Core improperly handles web requests. An attacker can exploit this vulnerability to cause a denial of service against a ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication.

     

    OData Denial of Service Vulnerability (CVE-2018-8269) MS Rating: Important

    A denial of service vulnerability exists when OData Library improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an OData web application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the OData application.

     

  4. Cumulative Security Update for Microsoft Windows Kernel

    Windows Kernel Information Disclosure Vulnerability (CVE-2018-8336) MS Rating: Important

    An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system. An authenticated attacker could exploit this vulnerability by running a specially crafted application.

     

    Windows Kernel Information Disclosure Vulnerability (CVE-2018-8419) MS Rating: Important

    An information disclosure vulnerability exists when the Windows kernel fails to properly initialize a memory address. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.

     

    Windows Kernel Information Disclosure Vulnerability (CVE-2018-8442) MS Rating: Important

    An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system. An authenticated attacker could exploit this vulnerability by running a specially crafted application.

     

    Windows Kernel Information Disclosure Vulnerability (CVE-2018-8443) MS Rating: Important

    An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system. An authenticated attacker could exploit this vulnerability by running a specially crafted application.

     

    Windows Kernel Information Disclosure Vulnerability (CVE-2018-8445) MS Rating: Important

    An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system. An authenticated attacker could exploit this vulnerability by running a specially crafted application.

     

    Windows Kernel Information Disclosure Vulnerability (CVE-2018-8446) MS Rating: Important

    An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system. An authenticated attacker could exploit this vulnerability by running a specially crafted application.

     

    Windows Kernel Elevation of Privilege Vulnerability (CVE-2018-8455) MS Rating: Important

    An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.

     

  5. Cumulative Security Update for Microsoft Microsoft Windows Hyper-V

    Windows Hyper-V Remote Code Execution Vulnerability (CVE-2018-0965) MS Rating: Critical

    A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code. An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.

     

    Windows Hyper-V Remote Code Execution Vulnerability (CVE-2018-8439) MS Rating: Critical

    A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code. An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.

     

    Windows Hyper-V Denial of Service Vulnerability (CVE-2018-8436) MS Rating: Important

    A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application that causes a host machine to crash.

     

    Windows Hyper-V Denial of Service Vulnerability (CVE-2018-8437) MS Rating: Important

    A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application that causes a host machine to crash.

     

    Windows Hyper-V Information Disclosure Vulnerability (CVE-2018-8434) MS Rating: Important

    An information disclosure vulnerability exists when Windows Hyper-V on a host operating system fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker on a guest operating system could run a specially crafted application that could cause the Hyper-V host operating system to disclose memory information. An attacker who successfully exploited the vulnerability could gain access to information on the Hyper-V host operating system.

     

    Windows Hyper-V Security Feature Bypass Vulnerability (CVE-2018-8435) MS Rating: Important

    A security feature bypass vulnerability exists when Windows Hyper-V BIOS loader fails to provide a high-entropy source. To exploit this vulnerability, an attacker would need to reboot a guest virtual machine numerous times until the vulnerability is triggered.

     

    Windows Hyper-V Denial of Service Vulnerability (CVE-2018-8438) MS Rating: Important

    A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.

     

  6. Cumulative Security Update for Microsoft JET Database Engine

    Microsoft JET Database Engine Remote Code Execution Vulnerability (CVE-2018-8392) MS Rating: Important

    A buffer overflow vulnerability exists in the Microsoft JET Database Engine that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take control of an affected system.

     

    Microsoft JET Database Engine Remote Code Execution Vulnerability (CVE-2018-8393) MS Rating: Important

    A buffer overflow vulnerability exists in the Microsoft JET Database Engine that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take control of an affected system.

     

  7. Cumulative Security Update for Microsoft Windows

    Win32k Graphics Remote Code Execution Vulnerability (CVE-2018-8332) MS Rating: Critical

    A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited this vulnerability could take control of the affected system.

     

    MS XML Remote Code Execution Vulnerability (CVE-2018-8420) MS Rating: Critical

    A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the user's system. To exploit the vulnerability, an attacker could host a specially crafted website designed to invoke MSXML through a web browser.

     

    Windows Remote Code Execution Vulnerability (CVE-2018-8475) MS Rating: Critical

    A remote code execution vulnerability exists when Windows image file loading functionality does not properly handle malformed image files. An attacker who successfully exploited the vulnerability could execute arbitrary code. To exploit the vulnerability, an attacker would have to convince a user to load a malformed image file from either a webpage or an email message.

     

    Windows SMB Denial of Service Vulnerability (CVE-2018-8335) MS Rating: Important

    A denial of service vulnerability exists in the Microsoft Server Block Message (SMB) when an attacker sends specially crafted requests to the server. An attacker who exploited this vulnerability could cause the affected system to crash. To attempt to exploit this issue, an attacker would need to send specially crafted SMB requests to the target system.

     

    Windows SMB Information Disclosure Vulnerability (CVE-2018-8444) MS Rating: Important

    An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 2.0 (SMBv2) server handles certain requests. An attacker who successfully exploited this vulnerability could craft a special packet, which could lead to information disclosure from the server. To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv2 server.

     

    Windows Information Disclosure Vulnerability (CVE-2018-8271) MS Rating: Important

    An information disclosure vulnerability exists in Windows when the Windows bowser.sys kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could potentially disclose contents of System memory. To exploit this vulnerability, an attacker would have to log on to the system first and then run a specially crafted application in user mode.

     

    Windows Subsystem for Linux Security Feature Bypass Vulnerability (CVE-2018-8337) MS Rating: Important

    A security feature bypass vulnerability exists when Windows Subsystem for Linux improperly handles case sensitivity. An attacker who successfully exploited this vulnerability could replace or delete abitrary files as a low privilege user. An attacker could exploit this vulnerability by running a specially crafted application.

     

    Windows Registry Elevation of Privilege Vulnerability (CVE-2018-8410) MS Rating: Important

    An elevation of privilege vulnerability exists when the Windows Kernel API improperly handles registry objects in memory. An attacker who successfully exploited the vulnerability could gain elevated privileges on a targeted system. A locally authenticated attacker could exploit this vulnerability by running a specially crafted application.

     

    Windows GDI Information Disclosure Vulnerability (CVE-2018-8424) MS Rating: Important

    An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user's system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.

     

    Microsoft Graphics Component Information Disclosure Vulnerability (CVE-2018-8433) MS Rating: Important

    An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system. An authenticated attacker could exploit this vulnerability by running a specially crafted application.

     

    Windows ALPC Elevation of Privilege Vulnerability (CVE-2018-8440) MS Rating: Important

    An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system.

     

    Windows Subsystem for Linux Elevation of Privilege Vulnerability (CVE-2018-8441) MS Rating: Important

    An elevation of privilege vulnerability exists due to an integer overflow in Windows Subsystem for Linux. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.

     

    Device Guard Security Feature Bypass Vulnerability (CVE-2018-8449) MS Rating: Important

    A security feature bypass exists when Device Guard incorrectly validates an untrusted file. An attacker who successfully exploited this vulnerability could make an unsigned file appear to be signed. Because Device Guard relies on the signature to determine the file is non-malicious, Device Guard could then allow a malicious file to execute.

     

    DirectX Graphics Kernel Elevation of Privilege Vulnerability (CVE-2018-8462) MS Rating: Important

    An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context.

     

    Windows Elevation of Privilege Vulnerability (CVE-2018-8468) MS Rating: Important

    An elevation of privilege vulnerability exists when Windows, allowing a sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system.

     

  8. Security Update for Microsoft Azure IoT SDK

    Azure IoT SDK Spoofing Vulnerability (CVE-2018-8479) MS Rating: Important

    A spoofing vulnerability exists for the Azure IoT Device Provisioning for the C SDK library using the HTTP protocol on Windows platform. An attacker who successfully exploited this vulnerability could impersonate a server used during the provisioning process. To exploit this vulnerability, an attacker would need to perform a man-in-the-middle (MitM) attack on the network that provisioning was taking place.

     

  9. Security Update for Lync for Mac

    Lync for Mac 2011 Security Feature Bypass Vulnerability (CVE-2018-8474) MS Rating: Important

    A security bypass vulnerability exists when Lync for Mac 2011 fails to properly sanitize specially crafted messages. An attacker who successfully exploited this vulnerability could cause a targeted Lync for Mac 2011 user's system to browse to an attacker-specified website or automatically download file types on the operating system's safe file type list.

     

More information is available on Symantec's free Security Center portal and to our customers through the DeepSight Threat Management System.

About the Author

Himanshu Mehta

Senior Threat Analysis Engineer

Himanshu is a senior member of Symantec's Cyber Security Services organization. An active contributor to numerous security communities, he frequently provides insight on vulnerabilities and shares his knowledge by writing reports, blogs, and journals.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.