Patch Tuesday: Microsoft issues fixes for 39 vulnerabilities, including a zero-day already being exploited by hacking groups

Hacking groups FruityArmor and SandCat have already made use of the privilege escalation bug

Microsoft has issued patches for 39 vulnerabilities, including a zero-day bug that has already been exploited by hacking groups.

This vulnerability in kernel image ntoskrnl.exe was reported to Microsoft on 29th October by security vendor Kasperky Lab. Listed as CVE-2018-8611 and classified as 'important', it is a local privilege escalation bug. Kaspersky Lab researchers say it has already been exploited by hacking groups FruityArmor and SandCat.

"CVE-2018-8611 is an especially dangerous threat - a vulnerability in the Kernel Transaction Manager driver. It can also be used to escape the sandbox in modern web browsers, including Chrome and Edge, since syscall filtering mitigations do not apply to ntoskrnl.exe system calls," the company says.

Kasperky continues: "This vulnerability successfully bypasses modern process mitigation policies, such as Win32k System call Filtering that is used, among others, in the Microsoft Edge Sandbox and the Win32k Lockdown Policy employed in the Google Chrome Sandbox. Combined with a compromised renderer process, for example, this vulnerability can lead to a full Remote Command Execution exploit chain in the latest state-of-the-art web-browsers."

All versions of Windows from Windows 7 to Server 2019 are affected by the bug. Microsoft has released a Patch Tuesday service update to mitigate the issue. The zero-day is the fourth such vulnerability to be patched by Microsoft in recent weeks.

Another Windows flaw is also fixed in the update. CVE-2018-8517, is a remote execution bug which could allow an attacker to execute a DoS attack by issuing certain commands to the .Net framework.

The update also includes patches for critical Adobe Flash Player remote code execution vulnerabilities CVE-2018-15982 and CVE-2018-15983 which were also being exploited in the wild.

In addition to the zero-day and ten other issues, the update fixes 29 vulnerabilities affecting Windows, Edge, Internet Explorer, ChackraCore, Office and Microsoft Office Services and Web Apps, .NET and other Microsoft products.