Microsoft Fixes 17 Critical Vulnerabilities
Microsoft has released its monthly batch of security patches fixing 61 vulnerabilities across its products, including 17 that are rated critical and four that have been publicly disclosed.
Four critical memory corruption vulnerabilities were patched in the Chakra JavaScript scripting engine that’s used in Microsoft Edge and two critical flaws were fixed in Internet Explorer. Another remote code execution flaw was fixed in the Microsoft Edge PDF engine and four in the scripting engine used by both IE and Edge.
According to Microsoft, one of the critical scripting engine vulnerabilities, CVE-2018-8457, had been publicly disclosed, but the company is not aware of any exploits in the wild.
“Browser and Scripting Engine patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser,” said Jimmy Graham, director of product management at Qualys, in a blog post. “The PDF viewer, Windows image parsing, .net Framework, and Windows font library also have patches available that require a user to interact with a malicious site or file. With two of these vulnerabilities being publicly disclosed, it is important to prioritize Windows workstation patching.”
The .NET Framework, the Microsoft XML Core Services MSXML parser, the Win32k graphics component and the Windows image parsing component received patches for one critical remote code execution flaw each. The image parsing flaw, CVE-2018-8475, which can be exploited by tricking users to download a specially crafted image, has been publicly disclosed.
Microsoft also fixed two critical vulnerabilities in the Hyper-V hypervisor, which could allow attackers to escape from a guest virtual machine and execute code on the host system. These patches should be prioritized on servers that use Hyper-V virtualization.
The recently disclosed privilege escalation vulnerability in the Windows ALPC API that can be exploited through Windows Task Scheduler has also been patched. This zero-day flaw is already being exploited in the wild by malware to gain full control of computers.
Microsoft also released a workaround, but not a patch, for a denial-of-service vulnerability called FragmentSmack (CVE-2018-5391) that could lead to high CPU resource exhaustion.
“An attacker could send many 8-byte sized IP fragments with random starting offsets, but withhold the last fragment and exploit the worst-case complexity of linked lists in reassembling IP fragments,” Microsoft said in its advisory. “A system under attack would become unresponsive with 100% CPU utilization but would recover as soon as the attack terminated.”
Adobe Fixes Flaws in Flash Player and CloudFusion
Somewhat surprisingly, Adobe Systems fixed only one flaw in Flash Player this month that’s rated as important. However, the company released patches for six critical vulnerabilities in ColdFusion.
If exploited, the vulnerability in Flash Player (CVE-2018-15967) can lead to information disclosure. Adobe advises users to upgrade to Flash Player version 31.0.0.108 on Windows, macOS and Linux. The patch for the plug-in bundled with Edge and IE 11 has also been distributed through Windows Update.
ColdFusion, an application development platform that’s popular in enterprise environments, received fixes for four deserialization vulnerabilities that can lead to arbitrary code execution. Deserialization flaws have been a problem for many web development frameworks in recent years, particularly those used to create Java-based web applications.
Two other critical flaws patched in ColdFusion can lead to unrestricted file uploads and arbitrary file overwrites. The platform also received patches for two information disclosure flaws and a security bypass issue that can allow attackers to create arbitrary folders.
Adobe advises users to update to ColdFusion 11 Update 15, ColdFusion 2016 Update 7 and ColdFusion 2018 Update 1, depending on which version they’re using.
