Despite a relatively light patching workload, admins should button up a zero-day exploit and publicly disclosed vulnerability corrected with the October Patch Tuesday security updates.
To exploit the zero-day vulnerability (CVE-2018-8453), an attacker needs to log in to the Windows system first then run a specially crafted application that uses a bug in the Win32k component to properly handle objects in memory. The attacker can then run code in kernel mode to perform various tasks, such as create accounts with full user rights, install programs or view data. The flaw affects all supported versions of Windows, including Windows Server 2019. The vulnerability is rated important and was discovered by Kaspersky Lab, an endpoint protection platform.
Microsoft fixed a publicly disclosed remote code execution vulnerability (CVE-2018-8423), also rated important, in all supported Windows operating systems. An attacker could take control of the targeted system if a user opened a specially crafted Microsoft JET Database Engine file. Microsoft credits the vulnerability’s discovery to Steven Seeley of Source Incite and Lucas Leong with Trend Micro’s Zero Day Initiative.
Prioritize workstation patches and hold off on Windows 10 update
This October Patch Tuesday, Microsoft patched 23 CVEs for Windows, including browser, scripting engine patches and two Hyper-V remote code execution vulnerabilities.
“The workstation patches should take precedence, namely the browser, scripting engine and Hyper-V ones,” said Animesh Jain, product manager of VM signatures at Qualys in Foster City, Calif. “About nine CVEs need to be fixed for browsers, so we need to have all of them applied on the system.”
The critical Hyper-V remote code execution vulnerabilities (CVE-2018-8489 and CVE-2018-8490) would allow an attacker to run arbitrary code on the host operating system by running a specially crafted application on the guest operating system. Microsoft resolved these by fixing Hyper-V’s validation of user input on the guest operating systems.
Microsoft released Windows 10 version 1809 on Oct. 2, but pulled it four days later due to a major flaw in the operating system update that deleted files in various user folders, such as Documents and Pictures. Rolling back the version does not return any files. Microsoft is still working to rerelease the version.
“How did this possibly get through Microsoft’s QA program? It was such a big issue … [and] they have the Insider program as well,” said Todd Schell, product manager at Ivanti, an IT security company in South Jordan, Utah.
Old patches may not be reliable
Microsoft also alerted administrators to a potential issue when applying certain security updates for Exchange Server 2013 and 2016 in Microsoft Knowledge Base article 4459266. The patches might not have corrected all affected files if IT workers manually installed the patches when not using an administrator account.
Microsoft said the issue does not occur when installing the update from Microsoft Update. IT workers can also run the latest security update file as an administrator.
Microsoft initially released a patch for a remote code execution (CVE-2010-3190) in 2010, but issued updated information about it in Knowledge Base article 4459266. An attacker could take control of a system with full privileges and install programs, create new accounts or change data through a vulnerability in the way applications built in Microsoft Foundation Classes handle DLL files.
Other CVEs included in the article refer to an elevation of privilege flaw (CVE-2018-8448) and remote code execution vulnerability (CVE-2018-8265).