This month’s Patch Tuesday brings with it a total of 60 security patches covering various products such as Internet Explorer, Edge, ChakraCore, Windows components, .NET Framework, SQL Server, Exchange Server, and Microsoft Office. Of these 60 vulnerabilities, 20 are listed as Critical, 38 are rated Important, one is rated as Moderate, and one is rated as Low severity. At the time of this release, two vulnerabilities (CVE-2018-8373 and CVE-2018-8414) had already been publicly disclosed and are actively being exploited in the wild.
IE is patched for five vulnerabilities this month, including the aforementioned vulnerability that is being actively exploited. The majority of these vulnerabilities are caused by memory corruption issues which can lead to remote code execution. An attacker can leverage these by enticing a victim to browse to a specially crafted webpage.
Two critical memory corruption issues were patched this month within the Edge browser, along with four important, and one low severity vulnerabilities. The worst of these (the critical-rated issues), are similar to those affecting IE in that they require a victim to browse specially crafted webpages.
The Chakra Scripting Engine contains five critical vulnerabilities along with one important rated memory corruption vulnerability. The worst of these can lead to remote code execution and can also be leveraged through a specially crafted website, in addition to embedding an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the browser rendering engine.
Various Windows components are patched this month which include Windows Shell, Graphics, GDI+, Diagnostic Hub, Device Guard, Cortana, Windows Installer, ADFS, Windows Kernel, Windows NDIS, Microsoft COM, DirectX Graphics, LNK, and Win32k. Of these components the one to be most concerned about is Windows Shell and specifically CVE-2018-8414. As previously mentioned, this vulnerability is also being actively exploited.
The .Net Framework is patched for only one important rated vulnerability this month. This vulnerability can lead to information disclosure and can occur when .NET Framework is used in high-load/high-density network connections where content from one stream can blend into another stream.
A critical vulnerability has been patched in SQL Server which is caused by a classic buffer overflow. An attacker could leverage this by sending a specially crafted query to the affected server which can lead to code execution in the context of the service account. Extra attention should be applied to this considering the amount of damage an attacker could cause when exploiting this vulnerability.
Two vulnerabilities are patched within Exchange Server, one critical and one important rated. The critical vulnerability is caused by Exchange failing to properly handle objects in memory which can lead to remote code execution in the context of the System user. Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Exchange server.
Office is patched for five important-rated vulnerabilities which can lead to elevation of privilege and information disclosure. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office software.