Patch Tuesday: Microsoft Addresses Two Zero-Days in 60-Flaw Roundup

Microsoft rolled out 60 patches for its Patch Tuesday release, impacting 19 critical flaws and 39 important flaws.

Microsoft has rolled out its August Patch Tuesday fixes, addressing 19 critical vulnerabilities, including fixes for two zero-day vulnerabilities that are under active attack.

Overall, the company patched a total of 60 flaws, spanning Microsoft Windows, Edge, Internet Explorer (IE), Office, .NET Framework,  ChakraCore, Exchange Server, Microsoft SQL Server and Visual Studio. Of those, 19 were critical, 39 were rated important, one was moderate and one was rated low in severity.

The patch release includes two exploited flaws, CVE-2018-8373 and CVE-2018-8414, which were previously disclosed by researchers.

The first zero-day, CVE-2018-8373, could result in remote code-execution (RCE) and grants the same privileges as a logged-in user, including administrative rights. The vulnerability exists in IE 9, 10 and 11, impacting all Windows operating systems from Server 2008 to Windows 10.

Meanwhile, CVE-2018-8414 also enables RCE with the privileges of the logged-in user, and exists on Windows 10 versions 1703 and newer, as well as Server 1709 and Server 1803.

“The two zero-day vulnerabilities are … publicly disclosed and exploited,” said Chris Goettl, director of product management, security, for Ivanti, in an email. “CVE-2018-8373 is a vulnerability that exists in the way that the scripting engine handles objects in memory in Internet Explorer. CVE-2018-8414 code-execution vulnerability exists when the Windows Shell does not properly validate file paths.”

Microsoft also issued fixes for security issues that don’t impact Windows, but the company thought they were important enough to package into its OS updates, dubbed advisories.

One of these, Advisory 180018, touched on a new Meltdown and Spectre variant. This advisory, “Microsoft Guidance to Mitigate L1TF Variant,” addresses three vulnerabilities – CVE-2018-3615, CVE-2018-3620 and CVE-2018-3646.  These speculative side-channel flaws were also disclosed today by Intel.

“Correcting these vulnerabilities requires both a software and firmware (microcode) update,” said Goettl. “As a mitigation, Microsoft does recommend disabling hyper-threading which can have a major performance impact.”

Microsoft also pushed a security advisory, ADV180020, for flaws in impacted Adobe products, which were also touched on by Adobe in a separate Patch Tuesday release earlier today.

There are also several memory corruption vulnerabilities in Microsoft Edge, Internet Explorer 9-11 and the Chakra Scripting Engine (including CVE-2018-8380, CVE-2018-8381 and CVE-2018-8385).

“This vulnerability occurs when Microsoft Edge accesses object in memory, which could allow an attacker to execute code on the victim’s system,” Allan Liska, threat intelligence analyst at Recorded Future, told Threatpost. “This type of memory corruption is usually exploited using a JavaScript, or other client-side scripting language, on a website the attacker owns or has compromised.”

Also, Microsoft SQL Server 2016 and 2017 contain a buffer overflow vulnerability (CVE-2018-8273) that can be remotely exploited with a specific SQL query directed to the server.

“This vulnerability is particularly concerning because it is relatively trivial to execute and many Microsoft SQL Servers are publicly accessible, which may mean an immediate uptick in attacks against these servers,” said Liska.

Microsoft also patched a Microsoft Graphics RCE vulnerability (CVE-2018-8344) in Windows 7-10 and Windows Server 2008-2016, which exists in the way that Microsoft handles certain embedded fonts.

Finally, Microsoft Exchange, versions 2010-2016, contains a memory corruption vulnerability (CVE-2018-8302) that, when properly exploited, would also enable RCE. To exploit this vulnerability, an attacker needs to send a specially crafted email to any account using the targeted Exchange Server. When the Exchange Server processes the incoming malicious email, it triggers the memory corruption vulnerability and is able to execute the attached code.

Microsoft’s Patch Tuesday comes after the company found itself in hot water last month after its new update model caused stability issues for Windows operating systems and applications, particularly in July. The model irked customers so much that enterprise patching veteran Susan Bradley wrote an open letter to Microsoft executives expressing the “dissatisfaction your customers have with the updates released for Windows desktops and servers in recent months.”

Suggested articles

Discussion

  • epoole59 on

    I have Windows 10 Pro and have never used skype or turned it on. Cortana on its own opened Skype while I was not near my PC Desktop but happened to see it open by itself. I closed it asap and ran my Norton Security, cleaned my internet option Control Panel and a disk cleanup. This happened after a lighting strike hit our house and I lost Ethernet and had to turn on my Wi-Fi to get service. The only reason I purchased this desktop was for ethernet connection. While looking through files new on my PC, found a new file from google that stems from Adobe but was not opened by myself. In my run prompt saw a command chrome 4560.eu and other new downloads from Google. I know I sound dumb, no tech person here but something is wrong. Rarely use new desktop and only I use this product. Could I have use while I had no protection after lighting strike when my antivirus was down? Sorry to ask a silly question, but found your site and looks knowledgeable to me. Sincerely, Emily
    • Tara Seals on

      Hi Emily -- I'm sorry to hear you're plagued with this -- if definitely sounds like you've been hit with malware or some other kind of attack, if random files are appearing on your drives and things are opening on their own. I would run a strong antivirus check, make sure your software is up-to-date, and if the problems keep appearing, have your machine evaluated. Good luck! P.S. No such thing as silly questions. It could have been when you were connected to Wi-Fi, if you don't have a strong password on your network; or it could be that you triggered an infection by clicking on the wrong link or visiting the wrong website. There are a lot of different threat vectors, unfortunately.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.