The monthly Microsoft security updates --known as the Patch Tuesday updates-- are out, and this month, the OS maker has fixed 62 security flaws, including a recent zero-day vulnerability that was dumped on Twitter last month, and later adopted by a malware campaign.
This month, patches were made available for products such as Microsoft Windows, Microsoft Edge, Internet Explorer, ASP.NET, the .NET Framework, Edge's ChakraCore component, Adobe Flash Player, Microsoft.Data.OData, Microsoft Office, and Microsoft Office Services and Web Apps.
Also: 7 tips for SMBs to improve data security TechRepublic
Of all the 62 fixes, the most important was the one tracked as CVE-2018-8440. This vulnerability, as discussed at the time in a more detailed article, allows malware or an attacker already present on a system to gain SYSTEM-level access by exploiting a flaw in the Advanced Local Procedure Call (ALPC) function of the Windows Task Scheduler.
Details about this vulnerability, including proof-of-code exploit code, were disclosed in late August on Twitter, and the vulnerability was later incorporated into an active malware distribution campaign by a cyber-criminal group known as PowerPool.
But while this was the only unpatched vulnerability exploited in the wild, it was not the only security bug about which details became public before Microsoft had a chance to release a patch.
Details were also published online about three others, but no threat actor launched any attacks using them, according to Microsoft's knowledge. The three are:
- CVE-2018-8409 - System.IO.Pipelines Denial of Service
- CVE-2018-8457 - Scripting Engine Memory Corruption Vulnerability
- CVE-2018-8475 - Windows Remote Code Execution Vulnerability
Of these three, the first one was classified as "Important," while the second and third were rated "Critical," meaning exploitation was not too complicated and could lead to more damage.
Also: Best Home Security Devices for 2018 CNET
Of all the 62 vulnerabilities patched this month, a total of 17 received a rating of "Critical."
On top of patching flaws in its own products, Microsoft also included fixes for Adobe Flash Player, a product often found on its users' computers, and widely used in enterprise environments.
The Flash Player updates were delivered via the ADV180023 security advisory, also included in the September 2018 Patch Tuesday. This month, Adobe only patched one Flash Player security bug, an information disclosure issue tracked as CVE-2018-15967.
If you'd like to filter updates per product, you can use Microsoft's official Security Update Guide portal, available here, which includes interactive filtering options to find only the updates that matter to you.
Yesterday, Microsoft released two documents that detailed for the first time ever how the company's security engineers approach to classifying and patching security flaws.
Previous and related coverage:
Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.
This simple advice will help to protect you against hackers and government surveillance.
Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.