63 New Flaws (Including 0-Days) Windows Users Need to Patch Now

It's Patch Tuesday once again…time for another round of security updates for the Windows operating system and other Microsoft products. This month Windows users and system administrators need to immediately take care of a total of 63 security vulnerabilities, of which 12 are rated critical, 49 important and one moderate and one low in severity. Two of the vulnerabilities patched by the tech giant this month are listed as publicly known at the time of release, and one flaw is reported as being actively exploited in the wild by multiple cybercriminal groups.

The zero-day vulnerability, tracked as CVE-2018-8589, which is being exploited in the wild by multiple advanced persistent threat groups was first spotted and reported by security researchers from Kaspersky Labs. The flaw resides in the Win32k component (win32k.sys), which if exploited successfully, could allow a malicious program to execute arbitrary code in kernel mode and elevate its privileges on an affected Windows 7, Server 2008 or Server 2008 R2 to take control of it.

The other two publicly known zero-day vulnerabilities which were not listed as under active attack reside in Windows Advanced Local Procedure Call (ALPC) service and Microsoft's BitLocker Security Feature. The flaw related to ALPC, tracked as CVE-2018-8584, is a privilege escalation vulnerability that could be exploited by running a specially crafted application to execute arbitrary code in the security context of the local system and take control over an affected system. Advanced local procedure call (ALPC) facilitates high-speed and secure data transfer between one or more processes in the user mode.

The second publicly disclosed vulnerability, tracked as CVE-2018-8566, exists when Windows improperly suspends BitLocker Device Encryption, which could allow an attacker with physical access to a powered-off system to bypass security and gain access to encrypted data. BitLocker was in headlines earlier this month for a separate issue that could expose Windows users encrypted data due to its default encryption preference and bad encryption on self-encrypting SSDs. Microsoft did not fully address this issue; instead, the company simply provided a guide on how to manually change BitLocker default encryption choice.

Out of 12 critical, eight are memory corruption vulnerabilities in the Chakra scripting engine that resides due to the way the scripting engine handles objects in memory in the Microsoft Edge internet browser. All the 8 vulnerabilities could be exploited to corrupt memory, allowing an attacker to execute code in the context of the current user. To exploit these bugs, all an attacker needs to do is tricking victims into opening a specially crafted website on Microsoft Edge. Rest three vulnerabilities are remote code execution bugs in the Windows Deployment Services TFTP server, Microsoft Graphics Components, and the VBScript engine. All these flaws reside due to the way the affected software handles objects in memory.

The last critical vulnerability is also a remote code execution flaw that lies in Microsoft Dynamics 365 (on-premises) version 8. The flaw exists when the server fails to properly sanitize web requests to an affected Dynamics server. If exploited successfully, the vulnerability could allow an authenticated attacker to run arbitrary code in the context of the SQL service account by sending a specially crafted request to a vulnerable Dynamics server.

This month's security update also covers 46 important vulnerabilities in Windows, PowerShell, MS Excel, Outlook, SharePoint, VBScript Engine, Edge, Windows Search service, Internet Explorer, Azure App Service, Team Foundation Server, and Microsoft Dynamics 365. Users and system administrators are strongly advised to apply the above security patches as soon as possible in order to keep hackers and cyber criminals away from taking control of their systems.

For installing security patch updates, head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.