Microsoft has issued the latest monthly round of security fixes, this time addressing half a century of vulnerabilities, including one critical zero-day and three which have been publicly disclosed.
The most pressing vulnerability to fix would appear to be CVE-2018-8453, a privilege escalation flaw in Win32 which means the OS fails to properly handle objects in memory.
“An attacker first needs to log into the operating system, but then can exploit this vulnerability to run code in the kernel and gain administrator privileges,” explained Ivanti director of product management, Chris Goettl. “This vulnerability has a Base CVSS score of 7 and is present in all operating systems with updates this month from Server 2008 through Windows 10.”
On that note, Microsoft has also released a fix for an issue which forced the firm to pause its Windows 10 October 2018 Update (version 1809).
According to Redmond, “an incorrect timing calculation may prematurely delete user profiles on devices subject to the ‘Delete user profiles older than a specified number of day’ group policy.” In effect, the bug deleted all customer files in their C:/Users/[username]/Documents/ folder, and rolling back to the previous version did not restore the files.
There’s been a fair amount of criticism from security experts as to how Microsoft managed to let such a major fault ship with its latest update, especially as the issue had been flagged in the past.
Elsewhere, three publicly disclosed bugs will need to be addressed, according to Rapid7 senior security researcher, Greg Wiseman.
“CVE-2018-8497 is another elevation of privilege vulnerability affecting Windows 10 / Server 2016 and newer,” he explained. “CVE-2018-8423 is an RCE in Microsoft's JET Database Engine and affects all supported versions of Windows. The third public vulnerability [CVE-2018-8531] is another RCE, relevant to developers who build products using the Azure IoT Hub Device Client C# SDK.”