Microsoft issued the October 2018 Security Updates that include nearly 50 unique vulnerability fixes, 12 of them rated critical.
The updates address multiple Microsoft products to include, but not limited to: Windows, Edge, Office, Office Services and Web Apps, ChakraCore, .NET Framework, Exchange Server, PowerShell Core and Azure IoT Edge.
One of the critical vulnerabilities is an Internet Explorer (IE) Memory Corruption Vulnerability (CVE-2018-8460) that could result in remote code execution (RCE).
Another of the critical Memory Corruption Vulnerabilities (CVE-2018-8473) impacts Edge and could also result in remote code execution.
According to Microsoft, the RCE vulnerabilities exist when IE or Edge improperly accesses objects in memory:
“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Microsoft says that each of these RCE bugs that impact IE and Edge browsers are more likely to be exploited.
Other updates to take note of include an Exchange Serverpatch that fixes an MFC Insecure Library Loading Vulnerability that could result in remote code execution.
Two Hyper-V remote execution vulnerabilities (CVE-2018-8489 and CVE-2018-8490) were also patched in the October security update.
See the Security Update Guide and October summary release notes for more details on all patches.