It is Patch Tuesday and that means Microsoft fixed 50 vulnerabilities this month, including 11 critical remote code execution (RCE) flaws.
Attackers do not appear to be exploiting any of the vulnerabilities yet. One hole, however, ended up publicly disclosed before a fix released. The disclosed vulnerability is a use-after-free issue that allows an attacker to execute arbitrary code if they can convince the targeted user to open a malicious web page or file. The weakness was reported to Microsoft through Trend Micro’s Zero Day Initiative (ZDI), which made details public after its 120-day deadline expired.
The list of critical vulnerabilities also includes CVE-2018-8225, which impacts the Windows DNS component DNSAPI.dll. An attacker can leverage this flaw to execute arbitrary code in the context of the Local System Account by using a malicious DNS server to send specially crafted DNS responses to the targeted system.
Another critical RCE flaw, which Microsoft believes could be exploited in the wild at some point, is CVE-2018-8251 and it impacts the Windows Media Foundation component. That just goes to point out users should try and patch the vulnerabilities. An attacker can exploit this flaw to take complete control of a system by getting the targeted user to open a malicious web page or document.
A security hole affecting the HTTP Protocol Stack (Http.sys) allows remote code execution by sending a specially crafted packet to the targeted server. While the flaw can be exploited without authentication and is considered critical, Microsoft believes exploitation is “less likely.”