This month’s Patch Tuesday fixes a JET Database Engine Vulnerability (CVE-2018-8423) that Trend Micro’s Zero Day Initiative (ZDI) disclosed last September together with a proof of concept code. The vulnerability, which was rated as Important, can allow an attacker to send a specially crafted file containing data in the JET database format. When accessed on a machine, it can allow the JET database engine to execute an out-of-bounds write that would then allow for remote code execution. This month, Microsoft released 49 patches and two advisories, with 12 listed as Critical, 35 as Important, one Moderate, and one Low. Of the 49 CVEs, eight were disclosed through the ZDI program.
The patch release also fixed a vulnerability that’s currently under active attack: CVE-2018-8453, which is a Win32K elevation of privilege zero-day discovered by security researchers from Kaspersky Labs. To exploit this bug, an attacker must first successfully log into the system. However, once a system is infiltrated, an attacker can install programs as well as view, modify, or even delete data. It can also allow attackers to create new accounts with full user rights on an infiltrated system. This month’s patch corrects how Win32K handles objects in memory.
Meanwhile, on the Adobe front, a massive 86 CVEs were patched in total. On October 1, early patches were released for both Acrobat and Reader, while additional patches for Flash, Framemaker, Adobe Digital Editions, and the Adobe Technical Communications Suite were released on Patch Tuesday. 47 of the bugs are listed as Critical, and a total of 14 were handled by the ZDI.
Trend Micro Deep Security and Vulnerability Protection protect user systems from any threats that may target the vulnerabilities addressed in this month’s round of updates via the following DPI rules:
The post October Patch Tuesday: Microsoft Repairs JET Database Engine Bug, Win32K EoP Zero-Day appeared first on .