Microsoft released 61 security patches for September, including 17 listed as Critical. Several flaws were publicly disclosed before the release and one is already being actively exploited in the wild.
The patches and advisories cover Internet Explorer (IE), Edge, ChakraCore, Azure, Hyper-V, Windows components, .NET Framework, SQL Server, and Microsoft Office and Office Services. You can find all of the updates at the Microsoft portal.
Here are the highlights from this month’s release, with the information you need to prioritize your patching efforts.
CVE-2018-8440 – Windows ALPC Elevation of Privilege Vulnerability
The patch to prioritize this month is CVE-2018-8440, a local privilege escalation vulnerability that arises when Windows incorrectly handles calls to the Advanced Local Procedure Call (ALPC) interface. The flaw was first made public last month via a tweet (which was later deleted) and attackers are already taking advantage of it.
At the time it was disclosed, Will Dormann, a Vulnerability Analyst at the CERT/CC noted “I’ve confirmed that this works well in a fully-patched 64-bit Windows 10 system.”