Yesterday was Microsoft's monthly cumulative update release to shore up Windows 10. September's Patch Tuesday featured the usual fixes for known problems and security patches. Included in the release notes were fixes for 61 vulnerabilities, 17 of which Microsoft deemed to be “critical”.
While Patch Tuesday patched a bunch of known security flaws, Microsoft also detailed four unfixed security problems. The company says it will work on patches for these problems, which should arrive this month.
The four Microsoft services awaiting patches are Microsoft Edge, Office, Internet Explorer, and .NET Framework.
One of the flaws is the ALPC Elevation of Privilege vulnerability (CVE-2018-8440) . This vulnerability has already been exploited in the wild. It exploits the Taskscheduler in Windows 10. The problem could allow an attacker to alter permissions and gain wider system access, albeit only with local access.
Acros Security last month issued a micropatch to mitigate the flaw. This fix stops any bad actors from exploiting the problem but was not an official response from Microsoft. On Patch Tuesday, an official patch was released.
More Fixed Flaws
CVE-2018-8409: A denial of service vulnerability exists when System.IO.Pipelines improperly handles requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an application that is leveraging System.IO.Pipelines. The vulnerability can be exploited remotely, without authentication.
A remote unauthenticated attacker could exploit this vulnerability by providing specially crafted requests to the application.
CVE-2018-8457: A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.
If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
CVE-2018-8475: A remote code execution vulnerability exists when Windows does not properly handle specially crafted image files. An attacker who successfully exploited the vulnerability could execute arbitrary code.
To exploit the vulnerability, an attacker would have to convince a user to download an image file.