September 2018 Patch Tuesday Briefing
As a service to our customers, we post a monthly bulletin when Patch Tuesday (second Tuesday of every month) rolls around. Below, you’ll find information about the new updates released from Microsoft and Adobe this cycle, and additional information provided by Kenna that may be helpful in prioritization of these newly released vulnerabilities.
At time of writing, four CVEs from the previous two months have had events detected in the wild by Kenna’s sensor network:
- CVE-2018-5028 (released in July cycle)
- CVE-2018-8353 (released in August cycle)
- CVE-2018-8401 (released in August cycle)
- CVE-2018-8414 (released in August cycle)
These CVEs and their exploitation in the wild constitute a slightly <2% rate of exploitation in the wild, consistent with the findings in our Prioritization to Prediction report.
If we include a count of CVEs with public exploit information AND detected events, that number jumps to approximately 5% of CVEs released in the past two months, also consistent with the report’s findings.
These low percentages of exploitation in the wild are why we stress a prioritized and risk-based approach to the Patch Tuesday cycle – even (especially) when words like “critical” are used to describe these new vulnerabilities. That’s not to say that we are against regular patching cadence and operationalizing process – quite the opposite. A risk-based approach can and should utilize regular processes to address as many vulnerabilities as possible – but practitioners can now inform these processes with intelligence.
In addition to the CVEs above, we’ve ranked a single CVE from this month, the local privesc bug (now: CVE-2018-8440) as a high risk. An exploit for this vulnerability was released on Twitter earlier this month, and quickly weaponized. You can read more about the bug’s release and the weaponization of the bug and subsequent detection by ESET researchers here. If you were forced to focus on one new issue this month, this should be the one.
This month, Microsoft released fixes for 63 new vulnerabilities, 17 rated critical in the following software:
- Internet Explorer
- .NET Framework
- SQL Server
- Microsoft Office
- Office Services
Adobe released bulletins and patches for only 1 vulnerability this cycle in the following products:
- Flash Player (1) – 1 Important
Flash and Reader are the most exploited client-side software of 2018 by number of CVEs detected in the wild, so these should be considered high priority as always.
Also, you can find a full listing of this month’s CVEs, with current – as of writing – risk scores for older vulnerabilities. As always, Kenna scores are dynamic, and subject to significant adjustment based on new intelligence. To check the latest scores, sign up here.