October 2018 Patch Tuesday – 49 Vulns, Critical browser patches, Hyper-V, Adobe vulns
In this month’s Patch Tuesday release there are 49 vulnerabilities patched with 12 Criticals. Out of the criticals, over half are browser-related, with the rest including Hyper-V and MSXML Parser. Microsoft Exchange covers CVE-2010-3190 which was not identified as in-scope product when originally published, per Microsoft. Microsoft Office covers 9 Important CVEs including Sharepoint and Graphics component.
Browser and Scripting Engine patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users. There are total 23 CVEs for Windows.
Hyper-V Hypervisor Escape
Two remote code execution vulnerabilities (CVE-2018-8489 and CVE-2018-8490) are patched in Hyper-V that would allow an authenticated user on a guest system to run arbitrary code on the host system. Microsoft notes that exploitation of this vulnerability is less likely, but these patches should still be prioritized for Hyper-V systems.
Microsoft Exchange Server
A vulnerability (CVE-2010-3190) was discovered in Exchange that can result in remote code execution. Exploitation of this vulnerability could take complete control of an affected system.
Microsoft has disclosed that Exchange Server was not identified as an in-scope product when CVE-2010-3190 was originally published. This vulnerability affects all installations of Exchange Server.
Adobe has also released patches covering Technical Communications Suite, Framemaker, and Digital Editions. Two vulnerabilities in Adobe Digital Editions have been marked as Critical and one vulnerability is labeled as important.
Credit to Animesh Jain posted in The Laws of Vulnerabilities on October 9, 2018 11:21 AM