It's September 2018, and Windows VMs can pwn their host servers by launching an evil app

Admins will again be working overtime as Microsoft and Adobe have posted their monthly scheduled security updates for September.

This month's Patch Tuesday bundle includes critical fixes for Windows, SQL Server, and Hyper V, as well as Flash and Cold Fusion.

Rude guests and ugly images menace Microsoft

In total, Microsoft addressed 61 CVE-listed vulnerabilities this month, including 23 that would potentially allow for remote code execution.

One of the more noteworthy of those bugs is CVE-2018-8475, a remote code flaw that can be triggered simply by viewing an image file in Windows. While no exploits are out, Microsoft warns that details on the vulnerability are already public.

"Open the wrong image – even through a web browser – and code executes, making this a browse-and-own scenario," explains Dustin Childs of Trend Micro's Zero Day initiative.

"Microsoft provides no information on where this is public, but given the severity of the issue and the relative ease of exploitation, expect this one to find its way into exploit kits quickly."

Also raising eyebrows was CVE-2018-0965, a bug in Hyper-V that would let a virtual machine instance achieve remote code execution on the host server simply by running a specially-crafted application within a VM.

Admins will want to prioritize the patch for CVE-2018-8440, an elevation of privilege flaw that is being actively targeted in the wild. The vulnerability can be traced to a flaw in the handling of the Windows Advanced Local Procedure Call (ALPC).

"An ALPC is an internal mechanism normally restricted to Windows operating system components. A lack of permissions checking in the Spooler process allows the elevation," Childs explained.

"This bug should be on the top of everyone’s deployment list."

As per usual, most of the other remote code bugs are in the Edge and IE browsers as well as their respective scripting engines. The two browsers were the recipients of 11 of the 23 remote code fixes, include one (CVE-2018-8440) that has already been made public.

Office also received a number of fixes, including for remote code execution bugs in Word (CVE-2018-8430), Excel (CVE-2018-8331), as well as a cross-site-scripting bug in SharePoint CVE-2018-8426 and a security feature bypass in Lync for Mac 2011 (CVE-2018-8457).

Azure, meanwhile, received a fix for a server spoofing flaw (CVE-2018-8479) and the .NET framework had one remote code execution flaw (CVE-2018-8421) addressed.

CVE-2018-8421 is a bug in Device Guard that puts PCs in danger by allowing attackers to forge file signatures.

"Because Device Guard relies on the signature to determine the file is non-malicious, Device Guard could then allow a malicious file to execute," Microsoft explained.

Meanwhile, over at Adobe…

This month wasn't so bad for Flash, as the internet's broken screen door only needed a single CVE-listed bug patched. Dubbed CVE-2018-15967, the flaw could allow for information disclosure, a refreshing change from the usual parade of remote code execution bugs Adobe delivered in previous months.

Adobe's only other patch of the day was for ColdFusion. The web app developer suite saw an update for nine CVE-listed flaws, five of which could potentially allow remote code execution. ®