Microsoft has recently released the security fixes, this time they have addressed around century of vulnerabilities, which include one of the critical zero day and three of which have been publicly disclosed.
The most critical vulnerability that needs to be fixing is CVE-2018-8453, a privilege escalation flaw in Win32 which simply means that the OS fails to properly handle the object in memory.
“An attacker who first needs to login into the operating system, and then they can exploit this vulnerability to run the code in the kernel and gain successful administrator privilege,” Explained clearly by Ivanti director of product management, Chris Goettl. “This vulnerability has a Base CVSS score of 7 and is present in all operating systems with updates this month from Server 2008 through Windows 10.”
In the recent note, Microsoft has successfully released a fix for these vulnerabilities which forced the firm to pause its Windows 10 October 2018 Update (version 1809).
According to Redmond, “an incorrect timing calculation may prematurely delete user profile on the devices which is subject to the ‘Delete user profiles older than a specific number of day’ group policy.” In effect, the bug has deleted all the customer files in their C:/User/[username]/Document/ folder, and it is rolling back to the previous version did not restore the files.
There is a major amount of criticism from the security experts as to how Microsoft managed to let such a huge fault ship with its latest update, especially as the issue has been flagged in the past.
Three publicly disclosed bugs that really need to be addressed, according to Rapid7 senior security researcher, Greg Wiseman.
“CVE-2018-8497 is another elevation of privilege vulnerability affecting Windows 10 / Server 2016 and newer,” he explained. “CVE-2018-8423 is an RCE in Microsoft’s JET Database Engine and affected all the supported version of Windows. The third public vulnerability [CVE-2018-8531] is another RCE, relevant to developers who build products using the Azure IoT Hub Device Client C# SDK.”