Microsoft patches plenty, including nasty Elevation of Privilege problem

By on
Microsoft patches plenty, including nasty Elevation of Privilege problem

Microsoft and Abode have issued their monthly collection of software patches and, as ever, both contain fixes that deserve swift attention.

The first on an infosec team’s to-do list may well be CVE-2018-8440, which Microsoft has described as “An elevation of privilege vulnerability” that manifests when “Windows improperly handles calls to Advanced Local Procedure Call.”

“An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The news isn’t all bad, as “To exploit this vulnerability, an attacker would first have to log on to the system.” But once logged in, the “attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system.”

Microsoft has also advised of an as-yet-unpatched problem dubbed “FragmentSmack" that could see an attacker “send many 8-byte sized IP fragments with random starting offsets, but withhold the last fragment and exploit the worst-case complexity of linked lists in reassembling IP fragments.”

“A system under attack would become unresponsive with 100 percent CPU utilisation but would recover as soon as the attack terminated.”

Other fixes address issues with:

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • ChakraCore
  • Adobe Flash Player
  • .NET Framework
  • Data.OData
  • NET

Some 17 of the fixes are rated critical because they can allow code execution. Among those flaws is one that impacts and allows arbitrary code execution. Microsoft may not mind CVE-2018-8336, because while it allows unauthorized parties to take over Windows Server 2008 and Windows 7, Microsoft is trying to hustle users off those old platforms anyway!

Five updates improve security in Microsoft’s Edge and Internet Explorer browsers. Three fix flaws in Windows Server 2008 on Itanium, the seldom-used HPE/Intel silicon collaboration that utterly failed to excite enterprise buyers.

The full list of patches Microsoft patches can be found here.

Adobe’s also issued its monthly patches. Readers will not be surprised to learn that the ever-porous Flash Player has a problem that could "lead to information disclosure." Adobe’s other patches address a ColdFusion issue “that could lead to arbitrary code execution.”

Happy patching.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
adobe itanium microsoft patch tuesday security

Partner Content

How NinjaOne Is Supporting The Channel As It Builds An Innovative Global Partner Program
How NinjaOne Is Supporting The Channel As It Builds An Innovative Global Partner Program
Tech For Good program gives purpose and strong business outcomes
Tech For Good program gives purpose and strong business outcomes
Ingram Micro Ushers in the Age of Ultra
Ingram Micro Ushers in the Age of Ultra
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Secure, integrated platforms enable MSPs to focus bringing powerful solutions to customers
Secure, integrated platforms enable MSPs to focus bringing powerful solutions to customers

Sponsored Whitepapers

Easing the burden of Microsoft CSP management
Easing the burden of Microsoft CSP management
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
Pulseway Essential Eight Framework
Pulseway Essential Eight Framework
7 Best Practices For Implementing Human Risk Management
7 Best Practices For Implementing Human Risk Management

Events

techpartner.news MSP index - Brisbane
techpartner.news MSP index - Brisbane
techpartner.news Channel Leader List / Golf day
techpartner.news Channel Leader List / Golf day
techpartner.news Pipeline Conference 2025
techpartner.news Pipeline Conference 2025
Integrate Expo 2025
Integrate Expo 2025
Security Exhibition & Conference 2025
Security Exhibition & Conference 2025

Most read articles

Australian MSP Index launched

Australian MSP Index launched
Ingram Micro Ushers in the Age of Ultra

Ingram Micro Ushers in the Age of Ultra
Announcing Pipeline 2025 tickets, theme & initial speakers

Announcing Pipeline 2025 tickets, theme & initial speakers
Vic gov to spend $100m on cyber security

Vic gov to spend $100m on cyber security

Log in

Email:
Password:
  |  Forgot your password?