As a service to our customers, we post a monthly update when Patch Tuesday (second Tuesday of every month) rolls around. Below, you’ll find information about the new updates released from Microsoft and Adobe this cycle, and additional context that may be helpful as you prioritize these newly released vulnerabilities.
This month, Microsoft released fixes for 49 new vulnerabilities in the following products:
- Internet Explorer
- Microsoft Edge
- Microsoft Office (Powerpoint, Excel, Word)
- Microsoft Azure
- Microsoft Windows
- Microsoft Exchange Server
- Microsoft Device Guard
- Microsoft JET Database engine
- Microsoft SQL Server Management Studio
- Microsoft Windows Hyper-V
Additionally, Adobe released bulletins and patches for 101 vulnerabilities this cycle in the following products:
- Adobe Technical Communications Suite
- Adobe Framemaker
- Adobe Experience Manager
- Adobe Flash Player
- Adobe Acrobat and Reader (Released on October 1)
Adobe Flash and Reader remain the most actively exploited client-side software according to Kenna’s intelligence (by number of unique events detected in 2018 associated with a CVEs in the software), so ensuring these are regularly patched should remain a high priority.
Consistent with the findings in our Prioritization to Prediction report, only a small number of vulnerabilities from any given Patch Tuesday’s release are ever exploited in the wild. At time of writing, 8 CVEs from the last 4 months (July, August, September, October) have had events detected in the wild by Kenna’s global threat telemetry:
- CVE-2018-5028 (released in July cycle)
- CVE-2018-12794 (released in July cycle)
- CVE-2018-8353 (released in August cycle)
- CVE-2018-8401 (released in August cycle)
- CVE-2018-8414 (released in August cycle)
- CVE-2018-8353 (released in September cycle)
- CVE-2018-8440 (released in September cycle)
- CVE-2018-8453 (released in this cycle)
The detection in the wild of these (and only these) CVEs continue to constitute a <2% rate of exploitation in the wild across all Adobe and Microsoft CVEs released in the last four months.
As always, Kenna intelligence and scoring is dynamic and subject to significant adjustment based on new information. To check the latest scores, sign up here. You can view the raw data and analysis for this blog post here.