September Patch Tuesday 2018 has been released, fixing a total of 62 security vulnerabilities. The fixes include a recently discovered zero-day bug which was exploited in the wild. This vulnerability has been given the CVE-2018-8440 identifier.
More about CVE-2018-8440
The brand new Windows zero-day flaw is also known as ALPC LPE and, as mentioned, it has been exploited in the wild.
The attacks happened soon after information about the zero-day was published online. Users from all over the world have been affected. In fact, details about the Windows LPE zero-day vulnerability were initially posted on August 27, 2018 on GitHub and popularized via a Twitter post which was later deleted. Nonetheless, hackers were quick to adopt the information and include it in their attacks.
The vulnerability itself is a bug in the Windows operating system and is known to impact versions from Windows 7 to Windows 10 depending on the Advanced Local Procedure Call (ALPC) function, the result of which is a Local Privilege Escalation (LPE). This effectively allows malicious code to gain administrative privileges and modify the system as programmed. The original tweet linked to a GitHub repository containing Proof-of-Concept code. This effectively allows any individual to download the sample code and use it as they like — in its original form, modified or embedded in a payload.
The PowerPool hackers, a previously unknown hacking collective, has been found to orchestrate an attack campaign built on the CVE-2018-8440 zero-day. Even though a limited number of users have been affected, the locations of the infected machines showcase that the campaigns are global. The list of infected countries includes Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States and Ukraine. The good news is that the zero-day has been fixed in September 2018 Patch Tuesday.
It should be mentioned that even though this zero-day was the only one to be actively exploited, it is not the only vulnerability which became public before Microsoft’s corresponding patch. That being said, details about three other serious security flaws [one rated important, and two rated critical] were available to the public, though no attacker seems to have leveraged them. These vulnerabilities are:
– CVE-2018-8409, described as a System.IO.Pipelines Denial of Service vulnerability;
– CVE-2018-8457, or a Scripting Engine Memory Corruption vulnerability;
– CVE-2018-8475, or a Windows Remote Code Execution vulnerability.
Other patches in this month’s Patch Tuesday address vulnerabilities in products such as Microsoft Windows, Microsoft Edge, Internet Explorer, ASP.NET, the .NET Framework, Edge’s ChakraCore component, Adobe Flash Player, Microsoft.Data.OData, Microsoft Office, Microsoft Office Services and Web Apps. For full reference, visit Microsoft.