Skip to content
Naked Security Naked Security

Update now! Microsoft’s September 2018 Patch Tuesday is here

September’s Patch Tuesday is upon Windows users - 61 CVEs, 17 flaws rated as critical, a zero-day and a flaw affecting Adobe Flash Player.

Patch Tuesday is upon Windows users once again, delivering fixes for 61 security flaws, including one confirmed zero day, several vulnerabilities in the public domain, and the now-standard Adobe Flash vulnerability to remind everyone they should stop using it.
There are several ways to cut every Patch Tuesday, but the headline vulnerabilities are usually the best place to start: 61 CVEs, 17 flaws rated as critical, and a flaw affecting Adobe Flash Player.

ALPC zero day

The standout this month is CVE-2018-8440, a system-compromising issue in the Windows Task Scheduler’s Advanced Local Procedure Call (ALPC) function, revealed on 27 August by someone on Twitter using the ID SandboxEscaper, complete with a GitHub proof-of-concept.
By early September an in-the-wild exploit had been spotted. Security company Acros Security quickly issued its own micropatch for the flaw, although only for Windows 10 64-bit version 1803.
A limitation is that the attacker would need to be logged in to the affected system locally but as that could easily happen using a malicious attachment, this one needs immediate attention.

Public flaws

According to Microsoft, three other flaws are in the public domain, with the biggie being CVE-2018-8475 – a critical-rated remote code execution (RCE) in the Windows Graphics Component that could allow an attacker to compromise a system simply by getting a user to view an image file.
Also in limbo are CVE-2018-8457, a critical-rated scripting engine memory corruption vulnerability, and CVE-2018-8409, a denial of service vulnerability in the System.IO.Pipelines rated one notch down at ‘important’. No exploits are known for these, but Microsoft has placed them in the ‘public’ category, which gives patching them added urgency.

Adobe Flash

It wouldn’t be Patch Tuesday without at least one Flash flaw and, sure enough, September delivers with ADV180023, aka CVE-2018-15967. It’s a patch for the important-rated Flash flaw identified as APSB18-31 affecting Adobe Flash Player plus the plug-ins for Chrome, Firefox, Edge, and IE11. There are doubtless good reasons why some people persevere with Flash, but the list is surely shrinking by the day, with most browsers now requiring users to manually enable its use.

Others to watch

  • CVE-2018-0965 – “a critical remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system.”
  • CVE-2018-8430 and CVE-2018-8331 – RCE flaws affecting Word and Excel respectively.

As for updates, Windows 10 users running the April 2018 Windows 10 update (17134.285) will be presented with KB4457128, while for those still on last year’s Fall Creators refresh (16299.665) it’s KB4457142.  For Windows 7, it’s KB4457144.
Still confused? SANS ISC publishes its own product breakdown on September’s flaws, which helpfully includes their CVSS scores.


But what about users of Windows 8 and 8.1? No mention of them again and just a mention in passing about Windows 7. You should cover all currently valid OS’s that are in use as they can all suffer from poor coding and hence vulnerabilities.


We’ve linked to the exhaustive list on Microsoft’ website, where every supported Windows flavour has a row of its own. The list has several hundred [!?!] entries, so you’ll have to forgive us for giving you the 10,000-metre view here and inviting you to infer that many of these issues apply broadly across the range of “currently valid OSes”.
FYI, Windows 8 is not supported by Microsoft – it was removed from the list some years ago and permanently superseded by 8.1 – if you have Windows 8, the correct way to update it is to shift to Windows 8.1 (or Windows 10) and get the latest version of that. So there would be nothing for us to cover in respect of Windows 8 even if we deliberately repeated every item on the official list.


And users will also be nagged more and more to use Microsoft Edge instead of being able to use alternate browsers.


You *can* use other browsers on Windows. There’s no “instead of being able to use alternate browsers” about it.
Every commercial OS I’ve used recently (macOS, iOS, Google Android, and Windows) comes with a preferred browser that’s in the OS build. All of them allow you to install other browers (though iOS requires them to be Webkit based).


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!