Microsoft issued the August 2018 Security Updates that include over 60 unique vulnerability fixes, 19 of them rated critical and two zero days actively exploited.
The updates address multiple Microsoft products to include, but not limited to: Windows, Internet Explorer, Edge, Office, Office Services and Web Apps, ChakraCore, Visual Studio, Exchange, SQL Server, .NET Framework and Adobe Flash Player.
One of the zero-day vulnerabilities is a Windows Shell remote code execution vulnerability (CVE-2018-8414):
“An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on as an administrator, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with elevated privileges.”
The second zero-day is a Windows Kernel information disclosure vulnerability (CVE-2018-8341):
“An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system.”
Admins should also take note to patch a buffer flow engine vulnerability in SQL Server version 2016 and 2017 (CVE-2018-8273) and a memory corruption vulnerability in Exchange server (CVE-2018-8302).
See the Security Update Guide and August summary release notes for more details on all patches.