Microsoft issued the September 2018 Security Updates that include over 60 unique vulnerability fixes, 17 of them rated critical to include a zero day being actively exploited.
The updates address multiple Microsoft products to include, but not limited to: Windows, Edge, Office, Office Services and Web Apps, ChakraCore, .NET Framework, Microsoft.Data.OData and Adobe Flash Player.
One of the zero-day vulnerabilities is a Windows ALPC Elevation of Privilege Vulnerability (CVE-2018-8440).
According to Microsoft, an elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC):
“An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on as an administrator, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with elevated privileges.”
See the Security Update Guide and September summary release notes for more details on all patches.