Microsoft has released its September Patch Tuesday updates with fixes for 61 flaws as well as updates for flaws affecting Adobe’s Flash Player.
The updates include security fixes for Internet Explorer, Edge, Windows, Office, ChakraCore, Hyper-V, the .NET framework, and ASP .NET. Of the 61 flaws addressed, 17 are critical, 43 are rated as important and one is moderate.
As noted by the Zero Day Initiative, four flaws addressed in this update have been made public, while a Windows Advanced Local Procedure Call (ALPC) elevation of privilege is being exploited already.
A proof of concept exploit for the ALPC issue, which affects Windows Task Scheduler, was published by a security researcher in late August and within days hackers had adapted it for real-world attacks. The bug has been tagged as CVE-2018-8440.
Also of note are two bugs — CVE-2018-0965 and CVE-2018-8439 — which affect Windows Hyper-V that allow a users on a guest virtual machine to execute code on the underlying hypervisor OS.
Meanwhile, a critical Win32k graphics remote code execution flaw in the Windows font library may be exploited using specially crafted embedded fonts. The bug affects Office 2016 for Windows and Mac, as well as Windows 10, 7, and 8.1, and Windows Server.
Microsoft has also warned that two critical remote code execution flaws affecting its Edge browser are likely to be exploited, as is a remotely exploitable flaw affecting Windows due to a bug in the Microsoft XML Core Services, which could allow a remote attacker to take control of the user’s system.
Details about a critical remote code execution flaw affecting Internet Explorer 11 and Edge have been publicly disclosed. Another critical flaw affecting Internet Explorer 11 should also be addressed quickly. If exploited, the flaw could give an attacker the same user rights as the user and if the user is logged in as administrator, the attacker could take control of the system and then install programs, modify or delete data, and create new accounts with full user rights.
Adobe’s fixes for Flash Player address a single privilege escalation vulnerability with an important rating. Version 30.0.0.154 and earlier are affected.