Browser and Scripting Engine patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. The PDF viewer, Windows image parsing, .net Framework, and Windows font library also have patches available that require a user to interact with a malicious site or file. With two of these vulnerabilities being publicly disclosed, it is important to prioritize Windows workstation patching.
Hyper-V Hypervisor Escape
Two remote code execution vulnerabilities are patched in Hyper-V that would allow an authenticated user on a guest system to run arbitrary code on the host system. Microsoft notes that exploitation of this vulnerability is less likely, but these patches should still be prioritized for Hyper-V systems.
While this vulnerability has not been patched, Microsoft has issued guidance for the FragmentSmack vulnerability which is a denial-of-service against the IP stack.
Adobe has released patches for Flash and Coldfusion. While Adobe lists CVE-2018-15967 as an “Important” privilege escalation against Flash, Microsoft lists this vulnerability as Critical and Remote Code Execution. For the Coldfusion patches, 9 CVEs are covered, with 6 if them labeled as Critical. In late August, Adobe also released out-of-band patches for Adobe Photoshop CC and Creative Cloud. Two Photoshop CVEs are listed as Critical, and one Creative Cloud vulnerability is labeled Important.
*** This is a Security Bloggers Network syndicated blog from The Laws of Vulnerabilities – Qualys Blog authored by Jimmy Graham. Read the original post at: https://blog.qualys.com/laws-of-vulnerabilities/2018/09/11/september-2018-patch-tuesday-61-vulns-fragmentsmack-hyper-v-escape