High Threat Security Alert (A18-09-02): Multiple Vulnerabilities in Microsoft Products (September 2018)

Description:

Microsoft has released security updates addressing multiple vulnerabilities which affect several Microsoft products or components. The list of security updates can be found at:

https://support.microsoft.com/en-us/help/20180911/security-update-deployment-information-september-11-2018

Reports indicate that exploitation of a zero-day vulnerability CVE-2018-8440 was detected against Windows systems. Users are advised to take immediate action to patch the affected systems since there is elevated risk of cyber attacks for the vulnerabilities.

Affected Systems:

• Microsoft Internet Explorer 9, 10, 11
• Microsoft Edge
• Microsoft Windows 7, 8.1, RT 8.1, 10
• Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016
• Microsoft Windows Server, version 1709, version 1803
• Microsoft Office 2016 Click-to-Run, 2016 for Mac
• Microsoft Office Compatibility Pack
• Microsoft Word 2013, 2013 RT, 2016
• Microsoft Excel 2010, 2013, 2013 RT, 2016
• Microsoft Excel Viewer 2007
• Microsoft Lync for Mac 2011
• Microsoft SharePoint Enterprise Server 2013, 2016
• Microsoft SharePoint Server 2010
• Microsoft .NET Framework 2.0, 3.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2
• .NET Core 2.1
• ASP.NET Core 2.1
• C SDK for Azure IoT
• ChakraCore

A complete list of the affected products can be found at:

https://portal.msrc.microsoft.com/en-us/security-guidance

Impact:

Depending on the vulnerability exploited, a successful attack could lead to remote code execution, denial of service, elevation of privilege, information disclosure, security feature bypass, tampering or spoofing.

Recommendation:

Patches for affected products are available from the Windows Update/Microsoft Update Catalog. Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

More Information:

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/498f2484-a096-e811-a978-000d3a33c573
https://support.microsoft.com/en-us/help/20180911/security-update-deployment-information-september-11-2018
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180022
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180023
https://www.hkcert.org/my_url/en/alert/18091201
https://www.us-cert.gov/ncas/current-activity/2018/09/11/Microsoft-Releases-September-2018-Security-Updates
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0965
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8269
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8315
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8331 (to CVE-2018-8332)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8335 (to CVE-2018-8337)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8354
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8366 (to CVE-2018-8367)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8391 (to CVE-2018-8393)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8409 (to CVE-2018-8410)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8419 (to CVE-2018-8422)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8424 (to CVE-2018-8426)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8428 (to CVE-2018-8431)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8433 (to CVE-2018-8447)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8449
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8452
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8455 (to CVE-2018-8457)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8459
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8461 (to CVE-2018-8470)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8474 (to CVE-2018-8475)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8479