Patch Tuesday for September has brought fixes for over 60 security vulnerabilities, 17 of which are critical and one is being actively exploited, Microsoft officials said.
The Redmond, WA-based software giant also released two advisories: One focuses on vulnerabilities it plugged in Adobe Flash and the other that said while the company is still working on an update for CVE-2018-5391, a Windows denial of service vulnerability against the IP stack dubbed “FragmentSmack”, there are some workarounds.
In a world where patches often end up released but not implemented, one of the patched holes is already undergoing exploitation.
CVE-2018-8440, a local privilege escalation vulnerability that arises when Windows incorrectly handles calls to the Advanced Local Procedure Call (ALPC) interface, was revealed publicly in August.
The researcher who found it also published PoC exploit code for it, and it didn’t take long for attackers to take advantage of it, making this is one patch a priority for everyone.
Another patch that should be prioritized is for CVE-2018-8475, a critical Windows remote code execution vulnerability that allows attackers to execute code simply by convincing the target to view an image with malicious code.
CVE-2018-8449 is a security feature bypass that makes Device Guard incorrectly validate an unsigned file. “Because Device Guard relies on the signature to determine the file is non-malicious, Device Guard could then allow a malicious file to execute,” Microsoft said in an advisory.