This month's patches from Microsoft include fixes for 50 distinct vulnerabilities. One that's already been seen exploited in the wild is CVE-2018-8453, a privilege escalation vulnerability allowing an attacker to gain full control over a system as long as they first have a way to execute code on an affected system (for example via a Remote Code Execution (RCE) vulnerability, which nearly half of this month's flaws are).

Three other vulnerabilities are not yet known to be exploited, but have been publicly disclosed. CVE-2018-8497 is another elevation of privilege vulnerability affecting Windows 10 / Server 2016 and newer. CVE-2018-8423 is an RCE in Microsoft's JET Database Engine, and affects all supported versions of Windows. The third public vulnerability is another RCE, relevant to developers who build products using the Azure IoT Hub Device Client C# SDK (CVE-2018-8531).

As usual, most of the vulnerabilities this month affect browsers (IE and/or Edge). IE 11 in particular has two nasty RCEs: CVE-2018-8460 and CVE-2018-8491 can both be exploited via browsing to a malicious web page. CVE-2018-8494 is a Critical RCE in MS XML, meaning browsers are a potential vector. Hyper-V also has two Critical RCEs: both CVE-2018-8489 and CVE-2018-8490 could allow a guest operating system to cause the host to execute arbitrary code.

Back-end administrators should take note of the updates for Exchange (resolving three vulnerabilities, two of which are RCE including one dating from 2010]), SharePoint (resolving four elevation of privilege vulnerabilities), and SQL Server Management Studio (resolving three information disclosure vulnerabilities). On the Office side, there are RCE vulnerabilities in PowerPoint, Excel, and Word related to how they handle objects in Protected View.

This is a rare month where no Adobe Flash Player security fixes came out (APSB18-35 states that only feature and performance bugs are addressed by the new release). However, today Adobe did issue security fixes for Digital Editions, Framemaker, Experience Manager and their Technical Communications Suite. Last week they also published updates for Acrobat and Reader which fixed 86 separate CVEs.

One last note: There are already patches for Windows 1809 and Windows Server 2019, both of which were just released for general availability last week (with some users reporting data loss after updating, causing Microsoft to pause the rollout).

Vulnerability Count by Component

Vulnerability Count by Impact

Vulnerability Count by Severity

CVSSv3 Base Score Distribution
Note: not all CVEs had CVSSv3 data available at the time of writing