Patch Tuesday September 2018

Microsoft patches 62 vulnerabilities, 17 of which are rated Critical. Including a patch for the zero-day ALPC vulnerability that was publicly disclosed on Twitter at the end of August.

This month Microsoft patches five critical vulnerabilities for all versions of Windows 10 and Windows Server 2016, and some of them affect older versions of Windows. All are remote code execution flaws, one of which is in Hyper-V and could allow an attacker to execute arbitrary code. There are also patches for flaws caused by embedded fonts, the MS XML parser, and specially crafted image files.

ALPC Zero-Day

On 27^th August a Twitter user (@SandboxEscaper) publicly released information about a zero-day Advanced Local Procedure Call (ALPC) vulnerability in Windows that could allow hackers with local access to the Task Scheduler to elevate privileges to SYSTEM. The user posted a link to proof-of-concept code, which was verified independently by the United States Computer Emergency Readiness Team (US-CERT) to work on fully-patched Windows 10 and Windows Server 2016 64-bit systems.

The flaw was found in the way Task Scheduler handles Advanced Local Procedure Calls (ALPCs), which is a kernel process that allows client processes to communicate with server processes. Microsoft acknowledged the ALPC bug and in this month patches it. While rated Important and not Critical by Microsoft, this one is important to patch because it is already being exploited in a targeted campaign.

Among the other flaws rated Important, the Hyper-V BIOS loader fails to provide a high-entropy source and Device Guard incorrectly validates an untrusted file. Six elevation of privilege vulnerabilities are also patched.

Fragment Stack Vulnerability

Microsoft published a security advisory (CVE-2018-5391) for a Windows denial of service vulnerability but no fix, just a workaround. The fragment stack vulnerability was patched in the Linux kernel last month and can result in packet loss due to out-of-order IP packets being dropped. Microsoft discovered that the vulnerability also affects Windows systems and you can read about a workaround if you think you might be vulnerable here.

Edge and Internet Explorer

CVE-2018-8457 is a scripting engine memory corruption vulnerability in Edge and IE that could be exploited via a malicious website or Office file. While it is thought that hackers already knew about this flaw, there is no evidence that it was being exploited prior to this month’s patches. There are nine other critical patches for both browsers that are all remote code execution vulnerabilities.

Microsoft Office

Office Click-To-Run gets a critical patch for the embedded fonts flaw that was also patched in Windows. There are three important patches, two of which are remote code execution flaws and one information disclosure.

Adobe Flash

Flash is no exception this month and Adobe has patched a privilege escalation flaw rated as important and detailed in CVE-2018-15967.

Windows 7 Monthly Rollup

Some users have reported receiving error 0x8000FFF when installing this month’s rollup for Windows 7. According to the information I found on a support forum, this is connected to an out-of-date servicing stack. KB3177467 must be installed before this month’s rollup can be applied.

Spectre and L1TF Advisory Updates

Last but not least, a speculative execution side-channel vulnerability, also referred to as L1 Terminal Fault (L1TF) that affects Intel CPUs, gets an updated advisory. Along with updated advice for Spectre on AMD processors. You can review the updated information on L1TF here, and get the latest Spectre advice here.

That is it for this month!