UPDATE
Microsoft has patched an elevation-of-privilege vulnerability it said is actively being exploited by hackers. The fix was part of Microsoft’s scheduled September Patch Tuesday release, which also included fixes for two other bugs found being used in the wild, including the zero-day found in the Windows Task Scheduler last week.
In total, Microsoft’s September Patch Tuesday release included 61 fixes that comprised of 17 critical bugs, 43 important and one rated moderate. All 17 of the critical vulnerabilities are remote code-execution (RCE) bugs. The 61 patched vulnerabilities impacted a range of products including Internet Explorer, Edge, Hyper-V, Windows components, Office and Microsoft’s JavaScript engine ChakraCore.
Most notable out of the flaws revealed Tuesday is Windows elevation-of-privilege vulnerability (rated important). The bug was reported Aug. 27 via Twitter by researcher @SandboxEscaper. The bug (CVE-2018-8440) could allow a local adversary to leverage a Windows task scheduler API weakness and run arbitrary code on a targeted system.
Microsoft did indicate that the bug (CVE-2018-8440) was being actively exploited. Researchers at Recorded Future and elsewhere also said the bug was being used in active campaigns and urged system admins to update systems as soon as possible.
“[We are] seeing these vulnerabilities being exploited in the wild… so these should be the first priority when it comes to patching,” wrote Allan Liska, threat intelligence analyst at Recorded Future, in breakdown of Microsoft’s release of patches. The vulnerability impacts Windows 7 through Windows 10 and including Windows Server 2008 through Windows Server 2016.
In addition to these, Microsoft patched two critical vulnerabilities (CVE-2018-8475 and CVE-2018-8457) that it said were publicly known, but not exploited. A fourth important denial-of-service bug (CVE-2018-8409) was also publicly known previous to being patched, but not exploited.
In addition to these flaws, Microsoft also tackled a pair of critical Windows Hyper-V RCE vulnerabilities.
“These are two different CVEs, but I grouped them together as they have the same exploit scenario and impact,” wrote Zero Day Initiative’s Dustin Childs in his Patch Tuesday analysis. “For both cases, a user on a guest virtual machine could execute code on the underlying hypervisor OS. The root cause for both of these bugs goes back to the failure to properly validate user input.”
Also, a total of 19 of Microsoft patches are tied to either its Edge or Internet Explorer browsers. One of those was a patch for a memory corruption vulnerability in Microsoft’s own JavaScript engine ChakraCore. “This primarily impacts Microsoft Edge, but it allows an attacker to gain remote access to a system by using a script to corrupt memory, and then having the attacker execute loader that calls out to their command and control infrastructure. Because this vulnerability allows an attacker to gain remote access, it should also be prioritized for patching,” Liska said.
Two other serious RCE vulnerabilities being addressed this month are a Win32k graphics vulnerability (CVE-2018-8332), which could be exploited by convincing a user to browse to a website or open a document containing a malicious embedded font, said Greg Wiseman, senior security researcher, at Rapid7 in his analysis of Microsoft’s Patch Tuesday release.
He also warned of the vulnerability (CVE-2018-8430), a Word PDF RCE vulnerability.
“A remote code-execution vulnerability exists in Microsoft Word if a user opens a specially crafted PDF file,” Microsoft noted regarding the bug. “An attacker who successfully exploited the vulnerability could cause arbitrary code to execute in the context of the current user. To exploit the vulnerability, an attacker must entice the user to open a specially crafted PDF file.”
(This story was updated 9/13/2018 to correct assertions by a vendor that two CVEs, in addition to CVE-2018-8440, were actively being exploited at the time Microsoft released its September Patch Tuesday bulletin.)