The administrators of the systems will have extra work the next gap days. Digital forensic experts from the International cybernetic Security Institute said that the next group of updates that will be launched by Microsoft will include corrections for the nine critical vulnerabilities, including the fix of a day 0 vulnerability.
Besides the 39 errors reported by Microsoft, the administrators will have to keep the hope about a new update patch to solve the 87 reported bugs by Adobe. The most relevant (CVE-2018-8611) is a dodging permissions bug that affects to all of the Operative Systems that are compatible from Windows 7 to Server 2019. This vulnerability would allow the bad user to execute an arbitrary code in kernel mode.
“Before exploring this vulnerability, the possible attacker would have to login in the system. The attacker could execute an aplication specially designed to take seize control of the compromised system”, sais some of the digital forensic experts.
A security advertisment of Microsoft adds: “An attacker that exploits successfully this vulnerability could execute an arbitrary code in kernel mode to install programms, watch,change or delete data or create new accounts with user privileges given”. Another relevant error is CVE-2018-8517, an useful vulnerability to generate DdoS conditions in web applications.
“The vulnerability could be exploited in a remote form and without authentification with the transmission of a request specially designed for the vulnerable application”, explained Chris Goettl, expert in computing security and digital forensic.
“The exploitation of this vulnerability is considered too much complicated, however, having been publicly revealed, it could be enough avaiable information that an attacker could use to create a more easy way to exploit the error”, said the expert.
Allan Liska, specialist in cybersecurity, emphasises that between the vulnerabilities that will be fixed, there’s a flood bug in the DNS server of Microsoft CVE-2018-8626, besides the different critical errors in the scripting Microsoft Edge Chakra Core engine.
“There are already 15 consecutive months where Microsoft informs about a vulnerability in the sequence of Chakra commands engine. The last time that Microsoft left intact the scripting Chakra engine was in September 2017”, said Liska.
This time, Chakra showed two vulnerabilities of memory corruption (CVE-2018-8583) and (CVE-2018-8629) that would allow a hacker to execute the arbitrary code in the victim’s system.
The experts also recommended the companies that work with Adobe to install the updated patches ASAP, specially directed to the vulnerabilities CVE-2018-15982 and CVE-2018-15983 that are two 0 days errors in Adobe Flash that have been already expoiled in real ocassions.