Microsoft patches recent ALPC zero-day in September 2018 Patch Tuesday updates

Microsoft engineers patch 62 vulnerabilities, including 17 rated 'Critical'
Written by Catalin Cimpanu, Contributor

The monthly Microsoft security updates --known as the Patch Tuesday updates-- are out, and this month, the OS maker has fixed 62 security flaws, including a recent zero-day vulnerability that was dumped on Twitter last month, and later adopted by a malware campaign.

This month, patches were made available for products such as Microsoft Windows, Microsoft Edge, Internet Explorer, ASP.NET, the .NET Framework, Edge's ChakraCore component, Adobe Flash Player, Microsoft.Data.OData, Microsoft Office, and Microsoft Office Services and Web Apps.

Also: 7 tips for SMBs to improve data security TechRepublic

Of all the 62 fixes, the most important was the one tracked as CVE-2018-8440. This vulnerability, as discussed at the time in a more detailed article, allows malware or an attacker already present on a system to gain SYSTEM-level access by exploiting a flaw in the Advanced Local Procedure Call (ALPC) function of the Windows Task Scheduler.

Details about this vulnerability, including proof-of-code exploit code, were disclosed in late August on Twitter, and the vulnerability was later incorporated into an active malware distribution campaign by a cyber-criminal group known as PowerPool.

Also: Tech support scammers find a home on Microsoft TechNet pages

But while this was the only unpatched vulnerability exploited in the wild, it was not the only security bug about which details became public before Microsoft had a chance to release a patch.

Details were also published online about three others, but no threat actor launched any attacks using them, according to Microsoft's knowledge. The three are:

Of these three, the first one was classified as "Important," while the second and third were rated "Critical," meaning exploitation was not too complicated and could lead to more damage.

Also: Best Home Security Devices for 2018 CNET

Of all the 62 vulnerabilities patched this month, a total of 17 received a rating of "Critical."

On top of patching flaws in its own products, Microsoft also included fixes for Adobe Flash Player, a product often found on its users' computers, and widely used in enterprise environments.

The Flash Player updates were delivered via the ADV180023 security advisory, also included in the September 2018 Patch Tuesday. This month, Adobe only patched one Flash Player security bug, an information disclosure issue tracked as CVE-2018-15967.

Also: Researcher finds new malware persistence method leveraging Microsoft UWP apps

ZDNet has summarized today's Patch Tuesday release in an HTML table, hosted here. The SANS ISC team has also published a table breaking down the updates per product and severity.

If you'd like to filter updates per product, you can use Microsoft's official Security Update Guide portal, available here, which includes interactive filtering options to find only the updates that matter to you.

Yesterday, Microsoft released two documents that detailed for the first time ever how the company's security engineers approach to classifying and patching security flaws.

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Editorial standards