September 2018 Patch Tuesday Briefing

Sep 11, 2018
Jonathan Cran

Share with Your Network

As a service to our customers, we post a monthly bulletin when Patch Tuesday (second Tuesday of every month) rolls around. Below, you’ll find information about the new updates released from Microsoft and Adobe this cycle, and additional information provided by Kenna that may be helpful in prioritization of these newly released vulnerabilities.

At time of writing, four CVEs from the previous two months have had events detected in the wild by Kenna’s sensor network:

  • CVE-2018-5028 (released in July cycle)
  • CVE-2018-8353 (released in August cycle)
  • CVE-2018-8401 (released in August cycle)
  • CVE-2018-8414 (released in August cycle)


These CVEs and their exploitation in the wild constitute a slightly <2% rate of exploitation in the wild, consistent with the findings in our Prioritization to Prediction report.

If we include a count of CVEs with public exploit information AND detected events, that number jumps to approximately 5% of CVEs released in the past two months, also consistent with the report’s findings.

These low percentages of exploitation in the wild are why we stress a prioritized and risk-based approach to the Patch Tuesday cycle – even (especially) when words like “critical” are used to describe these new vulnerabilities. That’s not to say that we are against regular patching cadence and operationalizing process – quite the opposite. A risk-based approach can and should utilize regular processes to address as many vulnerabilities as possible – but practitioners can now inform these processes with intelligence.

In addition to the CVEs above, we’ve ranked a single CVE from this month, the local privesc bug (now: CVE-2018-8440) as a high risk.  An exploit for this vulnerability was released on Twitter earlier this month, and quickly weaponized. You can read more about the bug’s release and the weaponization of the bug and subsequent detection by ESET researchers here. If you were forced to focus on one new issue this month, this should be the one.

This month, Microsoft released fixes for 63 new vulnerabilities, 17 rated critical in the following software:

  • Internet Explorer
  • Azure
  • Windows
  • ChakraCore
  • .NET Framework
  • SQL Server
  • Microsoft Office
  • Office Services


Adobe released bulletins and patches for only 1 vulnerability this cycle in the following products:


Flash and Reader are the most exploited client-side software of 2018 by number of CVEs detected in the wild, so these should be considered high priority as always.

Also, you can find a full listing of this month’s CVEs, with current – as of writing –  risk scores for older vulnerabilities. As always, Kenna scores are dynamic, and subject to significant adjustment based on new intelligence. To check the latest scores, sign up here.

Read the Latest Content

Research Reports

Prioritization to Prediction Volume 5: In Search of Assets at Risk

The fifth volume of the P2P series explores the vulnerability risk landscape by looking at how enterprises often view vulnerabilities.

5 Things Every CIO Should Know About Vulnerability Management

If you view vulnerability management (VM) as just a small part of your operation, it might be time to take another look.  Managing vulnerabilities is...



Get Started Using the Exploit Prediction Scoring System (EPSS).

Cyentia Institute’s Chief Data Scientist and Founder Jay Jacobs gives tips on how to get started using the Exploit Prediction Scoring System (EPSS). You...

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.