Microsoft patched nearly 50 vulnerabilities this month, including patches for an Adobe Flash Player zero-day vulnerability that was announced earlier this month. The majority of fixes dealt with elevation of privilege vulnerabilities that can allow attackers with a foothold on the machine to gain SYSTEM-level privileges.
One of the vulnerabilities CVE-2018-0771 is a Security Feature Bypass vulnerability in the Edge browser, affecting websites that accept or host user-provided content or advertisements, could allow an attacker to host a specially crafted website designed to exploit the vulnerability.
Ivanti’s Chris Goettl noted this month’s patch release consisted of a pretty typical lineup of patches, adding that the Operating System updates, Internet Explorer, Flash for IE, Edge, Office, and Sharepoint are accounted for.
“This month there are also a number of elevation of privilege vulnerabilities with an exploitability index of 1, meaning they are more likely to be exploited,” Goettl said. “While these vulnerabilities cannot be exploited remotely, they could be used by a threat actor to gain elevated privileges on a system they have compromised through some other means.”
The update did patch did however patch some vulnerabilities that could allow remote code execution including CVE-2018-0841. Goettl said the vulnerability could be exploited through a hosted website, via an attachment in email and it exploited would grant an attacker rights equal to that of the current users potentially granting full control of the system if said user had full admin rights.