Microsoft's September Security Updates Include Zero-Day Fix
Microsoft's September security updates, released on Tuesday, included a fix for a zero-day local privilege escalation flaw that was disclosed with lots of drama last month.
The flaw, now named CVE-2018-8440, was exposed by a security researcher using the Twitter handle SandboxEscaper, who claimed frustration when trying to deal with Microsoft about it. Microsoft also addressed three other publicly disclosed vulnerabilities this month, including CVE-2018-8409, CVE-2018-8457 and CVE-2018-8475, according to Chris Goettl, director of product management for security at Ivanti, in an Ivanti September Patch Tuesday blog post.
Dustin Childs, writing for Trend Micro's Zero Day Initiative, noted that CVE-2018-8440 "was reportedly seen in malware as soon as September 5th," so it's potentially being exploited in the field. He indicated in a Zero Day Initiative blog post that patching this flaw "should be on the top of everyone's deployment list."
On the other hand, Cisco's Talos Intelligence Group blog just ranked CVE-2018-8440 among its "important vulnerabilities" category for patching, while noting that the exploit has been "spotted in the wild" as part of malware. The Talos blog suggested that IT pros should focus on patching 16 of Microsoft's total 17 "critical" flaws this month.
Ivanti, in contrast, has a hierarchical approach for prioritizing monthly patching tasks. Ivanti argues that zero-day flaws should be patched first, followed by flaws uncovered by public disclosures. Next, IT pros should address so-called "user-targeted" flaws, which are phishing-enabled attacks that depend on a user clicking on an unsafe link or document attachment.
"This month nearly all of the Microsoft updates and the Flash and browser updates include user-targeted vulnerabilities," Goettl noted in Ivanti's blog post.
All told, security vendors are counting 61 vulnerabilities getting patched with Microsoft's September update. Of that total, 17 are rated "critical," 43 are rated "important" and one is deemed "moderate." Affected Microsoft products include Windows, Microsoft Office, browsers (Internet Explorer and Edge), .NET Framework, ASP.NET, Adobe Flash Player and more.
As usual, Microsoft provides overall information about the patches in its monthly Security Update Guide. However, this guide consists of 52 pages of common vulnerabilities and exposures (CVE) articles with brief descriptions. Many IT pros see this guide as being less useful than Microsoft's past, more verbose patch descriptions. Microsoft's equally terse release notes for September can be found at this page. Microsoft's .NET team published descriptions of the security and quality updates released for the .NET Framework this month, along with fixes for .NET Core. The Office team has a terse note about Office patches here.
IT pros have been describing synchronization problems when using Windows Server Update Services (WSUS) to manage this month's patches, as noted in a blog post by Computerworld author Woody Leonhard. Bruno Nowak, director of product marketing for Microsoft 365, obliquely acknowledged the problem in an "Ask Microsoft Anything" FastTrack Modern Desktop Yammer session this morning.
"We absolutely continue to work on fixing issues with both WSUS and SCCM that may be impacting your ability to deploy updates," he wrote in response to a WSUS query. He didn't provide further details, though.
In other security news, the Microsoft Security Response Center has published its very first public documentation of its "security servicing criteria for Windows," according to an announcement. It defines Microsoft's thinking on how it responds to Windows security vulnerabilities that may get discovered by Microsoft or by security researchers.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.