Endpoint

5/8/2018
05:05 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft's Patch Tuesday Fixes Two CVEs Under Active Attack

This month's updates addressed vulnerabilities in Windows, Office, Edge, Internet Explorer, .Net Framework, Exchange Server, and other services.

Microsoft's Patch Tuesday arrived with a sense of urgency this month, addressing two vulnerabilities under active attack and 66 other CVEs affecting Windows, Office, Office Services, Internet Explorer, Edge, Visual Studio, Web Apps, ChakraCore, Hyper-V Server, and Azure IoT SDK.

Of the 68 total CVEs addressed, 21 are rated as Critical, 45 are considered Important, and two are of Low severity. In addition to the two under active attack, two were listed as publicly known at the time of release, according to a report from Trend Micro's Zero-Day Initiative (ZDI).

The CVEs of highest priority are those under active attack. CVE-2018-8174, the more severe flaw, is a Windows VBScript Engine Remote Code Execution Vulnerability. The zero-day was detected and analyzed in April by Kaspersky Lab researchers, who reported it to Microsoft.

"This technique, until fixed, allowed criminals to force Internet Explorer to load, no matter which browser one normally used -- further increasing an already huge attack surface," says Anton Ivanov, security researcher at Kaspersky.

The zero-day bug is located in the VBScript Engine and its attacks are similar to those of browser vulnerabilities. It appears to be moving around as an Office document, likely Word, with an embedded Web page. These embedded pages are rendered by the VBScript Engine, says Dustin Childs, communications director for ZDI, so a user only has to visit an infected site for an attacker to execute code on their machine.

An attacker may also embed an ActiveX control marked "safe for initialization" in an Office doc or application that hosts the IE rendering engine. This appears to be the case here: Attackers send the file to targets; once it's opened, code execution occurs.

"This is a dangerous bug for a couple of reasons," Childs explains. "For users of IE, it acts like a standard browser bug - go to a bad website and get owned. However, VBScript Engine bugs have a broader impact since it also touches ActiveX controls and embedded Web pages in Office documents."

The other bug under active attack is CVE-2018-8120, a Win32k Elevation of Privilege Vulnerability affecting Windows 7, Server 2008, and Server 2008 R2. This bug lets an attacker who is logged onto a system run a specially crafted file to gain privileged access. While it's being actively used in malware, researchers are unsure how far the malware has spread.

"At that point the attacker would have full permissions to install or remove programs, add users, view, change, or delete data. This type of vulnerability is how a threat actor would elevate their privileges to gain full access to a system they have gained access to," says Chris Goettl, director of product management for security at Ivanti.

Microsoft issued 17 Critical, and 7 Important, patches for browser bugs. There are several patches issued for Office; the most important are those for Outlook and Sharepoint, ZDI reports. An Exchange update prevents a command injection attack, and the .NET Framework has a couple of patches rated Important.

Gren Wiseman, senior security researcher at Rapid7, points to one vulnerability, CVE-2018-8897 as "a nice example of coordinated disclosure" from OS vendors and the result of nearly all vendors incorrectly addressing debug exceptions stemming from Intel architecture chips. Microsoft, Apple, VMware FreeBSD, and multiple Linux distributions all posted advisories today.

For Microsoft Windows, CVE-2018-8897 could let a local attacker escalate privilege and run arbitrary code in kernel mode, he explains.

Microsoft this month also announced two public disclosures, meaning a vulnerability has been found and there is enough information on how it works to give an attacker the advantage before companies can update. One of these is CVE-2018-8141, a Windows kernel flaw; the other is CVE-2018-8170, a Windows Image bug that could lead to Elevation of Privilege. For both of these, an attacker could need to log on or obtain local access to exploit.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
arianapham
50%
50%
arianapham,
User Rank: Apprentice
9/21/2018 | 5:12:39 AM
thank
good idea.I agree with you
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
4 Ways to Fight the Email Security Threat
Asaf Cidon, Vice President, Content Security Services, at Barracuda Networks,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.