Tripwire's September 2018 Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft and Adobe. First on the patch priority list this month are patches for Microsoft's Internet Explorer, Edge and Scripting Engine. These patches resolve 18 vulnerabilities, including fixes for Elevation of Privilege, Information Disclosure, Memory Corruption, Security Feature Bypass and Spoofing vulnerabilities. Note that this list contains CVE-2018-8457 for Scripting Engine, and Microsoft has rated this as Exploitation More Likely on the Exploitability Index. Next on the patch priority list this month are patches released by Adobe and described in the APSB18-31 security bulletin. This patch set includes updates for an information disclosure vulnerability in Adobe Flash Player 30.0.0.154 and earlier versions for Windows, Macintosh, Linux and Chrome OS. Up next, administrators should focus on patching two specific Windows vulnerabilities. First, there is CVE-2081-8440 for the Windows Advanced Local Procedure Call (ALPC). This vulnerability allows an attacker to take advantage of a flaw in the task scheduler ALPC to escalate privileges. This vulnerability has been publicly disclosed with details available describing how it was used in malware. Second, there is CVE-2018-8475, which is a remote code execution vulnerability based on how Windows handles image files. Microsoft has rated both of these vulnerabilities with a 1 on the Exploitability Index, meaning that exploitation is more likely. Next on the list are the remaining patches for Microsoft Windows. These patches address numerous vulnerabilities across Device Guard, DirectX Graphics Kernel, Windows Kernel, MS XML, Graphics component, JET Database Engine, Win32k Graphics, Windows GDI, Hyper-V, Registry, SMB and Windows Subsystem for Linux. Lastly for this month, users should focus on the patches for Microsoft Office, SharePoint and .NET. These patches resolve information disclosure, remote code execution, XSS and Elevation of Privilege vulnerabilities. To learn more about Tripwire’s Vulnerability and Exposure Research Team (VERT), click here.
BULLETIN | CVE |
Browser | CVE-2018-8461, CVE-2018-8447, CVE-2018-8470 |
Edge | CVE-2018-8463, CVE-2018-8469, CVE-2018-8366, CVE-2018-8464, CVE-2018-8425 |
Scripting Engine | CVE-2018-8315, CVE-2018-8452, CVE-2018-8457, CVE-2018-8456, CVE-2018-8459, CVE-2018-8354, CVE-2018-8466, CVE-2018-8467, CVE-2018-8465, CVE-2018-8367 |
APSB18-31 Adobe Flash | CVE-2018-15967 |
Windows Advanced Local Procedure Call (ALPC) | CVE-2018-8440 |
Windows RCE | CVE-2018-8475 |
Windows | CVE-2018-8449, CVE-2018-8462, CVE-2018-8420, CVE-2018-8433, CVE-2018-8392, CVE-2018-8393, CVE-2018-8332, CVE-2018-8468, CVE-2018-8424, CVE-2018-8438, CVE-2018-8436, CVE-2018-8437, CVE-2018-8434, CVE-2018-0965, CVE-2018-8439, CVE-2018-8435, CVE-2018-8271, CVE-2018-8455, CVE-2018-8442, CVE-2018-8419, CVE-2018-8445, CVE-2018-8336, CVE-2018-8446, CVE-2018-8443, CVE-2018-8410, CVE-2018-8335, CVE-2018-8444, CVE-2018-8441, CVE-2018-8337 |
Microsoft Office | CVE-2018-8429, CVE-2018-8430 |
SharePoint | CVE-2018-8426, CVE-2018-8431, CVE-2018-8428 |
.NET | CVE-2018-8421 |