September 2018 Patch Tuesday – 61 Vulns, FragmentSmack, Hyper-V Escape

Workstation Patches

Browser and Scripting Engine patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. The PDF viewer, Windows image parsing, .net Framework, and Windows font library also have patches available that require a user to interact with a malicious site or file. With two of these vulnerabilities being publicly disclosed, it is important to prioritize Windows workstation patching.

Hyper-V Hypervisor Escape

Two remote code execution vulnerabilities are patched in Hyper-V that would allow an authenticated user on a guest system to run arbitrary code on the host system. Microsoft notes that exploitation of this vulnerability is less likely, but these patches should still be prioritized for Hyper-V systems.

FragmentSmack

While this vulnerability has not been patched, Microsoft has issued guidance for the FragmentSmack vulnerability which is a denial-of-service against the IP stack.

Adobe

Adobe has released patches for Flash and Coldfusion. While Adobe lists CVE-2018-15967 as an “Important” privilege escalation against Flash, Microsoft lists this vulnerability as Critical and Remote Code Execution. For the Coldfusion patches, 9 CVEs are covered, with 6 if them labeled as Critical. In late August, Adobe also released out-of-band patches for Adobe Photoshop CC and Creative Cloud. Two Photoshop CVEs are listed as Critical, and one Creative Cloud vulnerability is labeled Important.