Microsoft has rolled out its August Patch Tuesday fixes, addressing 19 critical vulnerabilities, including fixes for two zero-day vulnerabilities that are under active attack.
Overall, the company patched a total of 60 flaws, spanning Microsoft Windows, Edge, Internet Explorer (IE), Office, .NET Framework, ChakraCore, Exchange Server, Microsoft SQL Server and Visual Studio. Of those, 19 were critical, 39 were rated important, one was moderate and one was rated low in severity.
The patch release includes two exploited flaws, CVE-2018-8373 and CVE-2018-8414, which were previously disclosed by researchers.
The first zero-day, CVE-2018-8373, could result in remote code-execution (RCE) and grants the same privileges as a logged-in user, including administrative rights. The vulnerability exists in IE 9, 10 and 11, impacting all Windows operating systems from Server 2008 to Windows 10.
Meanwhile, CVE-2018-8414 also enables RCE with the privileges of the logged-in user, and exists on Windows 10 versions 1703 and newer, as well as Server 1709 and Server 1803.
“The two zero-day vulnerabilities are … publicly disclosed and exploited,” said Chris Goettl, director of product management, security, for Ivanti, in an email. “CVE-2018-8373 is a vulnerability that exists in the way that the scripting engine handles objects in memory in Internet Explorer. CVE-2018-8414 code-execution vulnerability exists when the Windows Shell does not properly validate file paths.”
Microsoft also issued fixes for security issues that don’t impact Windows, but the company thought they were important enough to package into its OS updates, dubbed advisories.
One of these, Advisory 180018, touched on a new Meltdown and Spectre variant. This advisory, “Microsoft Guidance to Mitigate L1TF Variant,” addresses three vulnerabilities – CVE-2018-3615, CVE-2018-3620 and CVE-2018-3646. These speculative side-channel flaws were also disclosed today by Intel.
“Correcting these vulnerabilities requires both a software and firmware (microcode) update,” said Goettl. “As a mitigation, Microsoft does recommend disabling hyper-threading which can have a major performance impact.”
There are also several memory corruption vulnerabilities in Microsoft Edge, Internet Explorer 9-11 and the Chakra Scripting Engine (including CVE-2018-8380, CVE-2018-8381 and CVE-2018-8385).
Also, Microsoft SQL Server 2016 and 2017 contain a buffer overflow vulnerability (CVE-2018-8273) that can be remotely exploited with a specific SQL query directed to the server.
“This vulnerability is particularly concerning because it is relatively trivial to execute and many Microsoft SQL Servers are publicly accessible, which may mean an immediate uptick in attacks against these servers,” said Liska.
Microsoft also patched a Microsoft Graphics RCE vulnerability (CVE-2018-8344) in Windows 7-10 and Windows Server 2008-2016, which exists in the way that Microsoft handles certain embedded fonts.
Finally, Microsoft Exchange, versions 2010-2016, contains a memory corruption vulnerability (CVE-2018-8302) that, when properly exploited, would also enable RCE. To exploit this vulnerability, an attacker needs to send a specially crafted email to any account using the targeted Exchange Server. When the Exchange Server processes the incoming malicious email, it triggers the memory corruption vulnerability and is able to execute the attached code.
Microsoft’s Patch Tuesday comes after the company found itself in hot water last month after its new update model caused stability issues for Windows operating systems and applications, particularly in July. The model irked customers so much that enterprise patching veteran Susan Bradley wrote an open letter to Microsoft executives expressing the “dissatisfaction your customers have with the updates released for Windows desktops and servers in recent months.”