Tuesday, January 9, 2018

Microsoft Patch Tuesday - January 2018

Today Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 56 new vulnerabilities with 16 of them rated critical, 39 of them rated important and 1 of them rated Moderate. These vulnerabilities impact ASP.NET, Edge, Internet Explorer, Office, Windows, and more.

In addition to the 56 vulnerabilities addressed, Microsoft has also released an update that addresses Meltdown and Spectre. Mitigations for these two vulnerabilities were published for Windows in ADV180002. Note that due to incompatibilities with anti-virus products, users and organizations may not have received this update yet. For more information, users should refer to Microsoft's knowledge base article which covers this issue.


Vulnerabilities Rated Critical


Microsoft has assigned the following vulnerabilities a Critical severity rating:
  • CVE-2018-0758 - Scripting Engine Memory Corruption Vulnerability
  • CVE-2018-0762 - Scripting Engine Memory Corruption Vulnerability
  • CVE-2018-0767 - Scripting Engine Information Disclosure Vulnerability
  • CVE-2018-0769 - Scripting Engine Memory Corruption Vulnerability
  • CVE-2018-0770 - Scripting Engine Memory Corruption Vulnerability
  • CVE-2018-0772 - Scripting Engine Memory Corruption Vulnerability
  • CVE-2018-0773 - Scripting Engine Memory Corruption Vulnerability
  • CVE-2018-0774 - Scripting Engine Memory Corruption Vulnerability
  • CVE-2018-0775 - Scripting Engine Memory Corruption Vulnerability
  • CVE-2018-0776 - Scripting Engine Memory Corruption Vulnerability
  • CVE-2018-0777 - Scripting Engine Memory Corruption Vulnerability
  • CVE-2018-0778 - Scripting Engine Memory Corruption Vulnerability
  • CVE-2018-0780 - Scripting Engine Information Disclosure Vulnerability
  • CVE-2018-0781 - Scripting Engine Memory Corruption Vulnerability
  • CVE-2018-0797 - Microsoft Word Memory Corruption Vulnerability
  • CVE-2018-0800 - Scripting Engine Information Disclosure Vulnerability
The following is a brief description of each vulnerability.

Multiple CVEs - Scripting Engine Memory Corruption Vulnerability


Multiple remote code execution vulnerabilities have been discovered that affect Microsoft Edge and Internet Explorer. These vulnerabilities manifest due to Internet Explorer and Edge not properly handling objects in memory. Successful exploitation of these vulnerabilities could result in an attacker obtaining the ability to execute code within the context of the current user. Scenarios where these vulnerabilities would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit this vulnerability or, in some cases, opens a Microsoft Office document that utilizes the browser rendering engine.

The following is a list of CVEs related to these vulnerabilities.
  • CVE-2018-0758
  • CVE-2018-0762
  • CVE-2018-0769
  • CVE-2018-0770
  • CVE-2018-0772
  • CVE-2018-0773
  • CVE-2018-0774
  • CVE-2018-0775
  • CVE-2018-0776
  • CVE-2018-0777
  • CVE-2018-0778
  • CVE-2018-0781

Multiple CVEs - Scripting Engine Information Disclosure Vulnerability


Two information disclosure vulnerabilities have been discovered that affect Microsoft Edge. These vulnerabilities manifests due to Microsoft Edge not properly handling objects in memory. These vulnerabilities could be leveraged by an attacker to obtain sensitive information from an affected system. This information could then be utilized to launch additional attacks against the system. Scenarios where these vulnerabilities would like be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit this vulnerability.

The following is a list of CVEs related to these vulnerabilities.
  • CVE-2018-0767
  • CVE-2018-0780
  • CVE-2018-0800

CVE-2018-0797 - Microsoft Word Memory Corruption Vulnerability


A remote code execution vulnerability has been discovered that affects Microsoft Office. This vulnerability manifests due to Microsoft Office failing to properly handle RTF files. Successful exploitation of this vulnerability could result in an attacker gaining the ability to execute code within the context of the current user. Scenarios where this vulnerability would likely be exploited include web-based attacks where the user navigates to a malicious web page containing a specially crafted RTF file or in email-based attacks where the user opens a specially crafted file that has been received as an email attachment.

Vulnerabilities Rated Important


Microsoft has assigned the following vulnerabilities an Important severity rating:
  • CVE-2018-0741 - Microsoft Color Management Information Disclosure Vulnerability
  • CVE-2018-0743 - Windows Subsystem for Linux Elevation of Privilege Vulnerability
  • CVE-2018-0744 - Windows Elevation of Privilege Vulnerability
  • CVE-2018-0745 - Windows Information Disclosure Vulnerability
  • CVE-2018-0746 - Windows Information Disclosure Vulnerability
  • CVE-2018-0747 - Windows Information Disclosure Vulnerability
  • CVE-2018-0748 - Windows Elevation of Privilege Vulnerability
  • CVE-2018-0749 - SMB Server Elevation of Privilege Vulnerability
  • CVE-2018-0750 - Windows GDI Information Disclosure Vulnerability
  • CVE-2018-0751 - Windows Elevation of Privilege Vulnerability
  • CVE-2018-0752 - Windows Elevation of Privilege Vulnerability
  • CVE-2018-0753 - Windows IPSec Denial of Service Vulnerability
  • CVE-2018-0754 - ATMFD.dll Information Disclosure Vulnerability
  • CVE-2018-0764 - .NET and .NET Core Denial Of Service Vulnerability
  • CVE-2018-0766 - Microsoft Edge Information Disclosure Vulnerability
  • CVE-2018-0768 - Scripting Engine Memory Corruption Vulnerability
  • CVE-2018-0784 - ASP.NET Core Elevation Of Privilege Vulnerability
  • CVE-2018-0786 - .NET Security Feature Bypass Vulnerability
  • CVE-2018-0788 - ATMFD.dll Information Disclosure Vulnerability
  • CVE-2018-0789 - Microsoft Office Spoofing Vulnerability
  • CVE-2018-0790 - Microsoft Office Information Disclosure Vulnerability
  • CVE-2018-0791 - Microsoft Outlook Remote Code Execution Vulnerability
  • CVE-2018-0792 - Microsoft Word Remote Code Execution
  • CVE-2018-0793 - Microsoft Outlook Remote Code Execution
  • CVE-2018-0794 - Microsoft Word Remote Code Execution
  • CVE-2018-0795 - Microsoft Office Remote Code Execution
  • CVE-2018-0796 - Microsoft Excel Remote Code Execution
  • CVE-2018-0798 - Microsoft Word Memory Corruption Vulnerability
  • CVE-2018-0799 - Microsoft Access Tampering Vulnerability
  • CVE-2018-0801 - Microsoft Office Remote Code Execution Vulnerability
  • CVE-2018-0802 - Microsoft Office Memory Corruption Vulnerability
  • CVE-2018-0803 - Microsoft Edge Elevation of Privilege Vulnerability
  • CVE-2018-0805 - Microsoft Word Remote Code Execution Vulnerability
  • CVE-2018-0806 - Microsoft Word Remote Code Execution Vulnerability
  • CVE-2018-0807 - Microsoft Word Remote Code Execution Vulnerability
  • CVE-2018-0812 - Microsoft Word Memory Corruption Vulnerability
  • CVE-2018-0818 - Scripting Engine Security Feature Bypass
  • CVE-2018-0819 - Spoofing Vulnerability in Microsoft Office for MAC
The following is a brief description of each vulnerability:

CVE-2018-0741 - Microsoft Color Management Information Disclosure Vulnerability


An information disclosure vulnerability has been discovered affecting Microsoft Graphics Component. This vulnerability manifests due to the Color Management Module (ICM32.dll) not properly handling objects in memory. Successful exploitation of this vulnerability could provide an attacker with the information required to bypass Address Space Layout Randomization (ASLR). While this vulnerability does not provide code execution, it could make it easier to successfully exploit remote code execution vulnerabilities due to the ability of the attacker to bypass ASLR.

CVE-2018-0743 - Windows Subsystem for Linux Elevation of Privilege Vulnerability


A privilege escalation vulnerability has been discovered affecting Windows Subsystem for Linux. This vulnerability manifests due to an integer overflow present in Windows Subsystem for Linux. Successful exploitation of this vulnerability requires an authenticated local attacker to run a specially crafted program and could allow them to execute code with elevated privileges on affected systems.

CVE-2018-0744 - Windows Elevation of Privilege Vulnerability


A privilege escalation vulnerability has been discovered affecting the Windows Kernel. This vulnerability manifests due to the Windows kernel failing to properly handle objects in memory. Successful exploitation of this vulnerability requires an authenticated local attacker to run a specially crafted program and could allow them to execute code with elevated privileges on affected systems.

Multiple CVEs - Windows Information Disclosure Vulnerability


Multiple information disclosure vulnerabilities have been discovered affecting Windows kernel. Successful exploitation of these vulnerability could provide an attacker information required to bypass ASLR as they allows the retrieval of the memory address of kernel objects. Exploitation of these vulnerability would require an authenticated local attacker to run a specially crafted program.

The following is a list of CVEs related to these vulnerabilities.
  • CVE-2018-0745
  • CVE-2018-0746
  • CVE-2018-0747

Multiple CVEs - Windows Elevation of Privilege Vulnerability


Multiple privilege escalation vulnerabilities have been discovered affecting the Windows kernel. These vulnerabilities manifests due to the Windows Kernel API failing to properly enforce permissions. Successful exploitation of these vulnerability would require an authenticated local attacker to execute a specially crafted program and could result in the attacker having the ability to impersonate processes, inject cross-process communications, or interrupt system functionality.

The following is a list of CVEs related to these vulnerabilities.
  • CVE-2018-0748
  • CVE-2018-0751
  • CVE-2018-0752

CVE-2018-0749 - SMB Server Elevation of Privilege Vulnerability


A privilege escalation vulnerability has been discovered affecting Windows SMB Server. This vulnerability manifests when an attacker with valid credentials to authenticate to an affected system opens a specially crafted file locally using the SMB protocol. Successful exploitation of this vulnerability could allow an attacker to bypass certain security checks. An attacker must have valid credentials and be authenticated to the affected system.

CVE-2018-0750 - Windows GDI Information Disclosure Vulnerability


An information disclosure vulnerability has been discovered affecting Microsoft Graphics Component. This vulnerability manifests due to the Windows GDI component improperly disclosing kernel memory addresses. Successful exploitation of this vulnerability could result in an attacker obtaining sensitive information that could be used to further attack the system. In order to exploit this vulnerability an attacker need to log on to the affected system and execute a specially crafted program.

CVE-2018-0753 - Windows IPSec Denial of Service Vulnerability


A denial of service vulnerability has been discovered that affects IPSec. This vulnerability manifests due to Windows improperly handling objects in memory. Successful exploitation of this vulnerability could allow an attacker to cause a system to stop responding, preventing the system from being used by authorized users.

CVE-2018-0754 - ATMFD.dll Information Disclosure Vulnerability


An information disclosure vulnerability exists affecting Graphics Fonts. This vulnerability manifests due to the Adobe Type Manager Font Driver (ATMFD.dll) improperly handling objects in memory. Successful exploitation of this vulnerability could allow an attacker to obtain sensitive information that could be used to further attack affected systems. Scenarios where this vulnerability would likely be exploited include an attacker opening a document containing specially crafted fonts on an affected system.

CVE-2018-0764 - .NET and .NET Core Denial Of Service Vulnerability


A denial of service vulnerability has been discovered affecting the .NET Framework. This vulnerability manifests due to .NET and .NET core improperly processing XML documents. Successful exploitation of this vulnerability could cause a denial of service in an affected .NET application. This vulnerability could be exploited by an attacker by sending specially crafted requests to a vulnerable .NET or .NET core application.

CVE-2018-0766 - Microsoft Edge Information Disclosure Vulnerability


An information disclosure vulnerability have been identified that affects Microsoft Edge. This vulnerability manifests due to Microsoft Edge PDF reader improperly handling objects in memory. This vulnerability could be leveraged by an attacker to obtain information that could be used for subsequent attacks against an affected system. Scenarios where this vulnerability would likely be exploited include web-based attacks where the user navigates to a malicious PDF hosted on an attacker controlled website.

CVE-2018-0768 - Scripting Engine Memory Corruption Vulnerability


A remote code execution vulnerability have been discovered that affects Microsoft Edge and Internet Explorer. This vulnerability manifests due to Internet Explorer and Edge not properly handling objects in memory. Successful exploitation of this vulnerability could result in an attacker obtaining the ability to execute code within the context of the current user. Scenarios where this vulnerability would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit this vulnerability.

CVE-2018-0784 - ASP.NET Core Elevation Of Privilege Vulnerability


A vulnerability have been discovered in the ASP.NET Core that could allow a privilege escalation attack to occur. This vulnerability manifests when an ASP.NET Core web application, based on a vulnerable project template, incorrectly utilizes input without first sanitizing it. An attacker who exploits this vulnerability could perform content injection attacks and run scripts in the context of the current user. Exploitation of this vulnerability could be achieved in email-based attack scenarios or via other social engineering means where the user clicks on a specially crafted link.

CVE-2018-0786 - .NET Security Feature Bypass Vulnerability


A security feature bypass vulnerability in the Microsoft .NET Framework and .NET Core have been identified that could allow attackers to bypass certificate validation. This vulnerability manifests in the way certificates are handled where certificates marked invalid for specific use may still be used for that purpose.

CVE-2018-0788 - OpenType Font Driver Elevation of Privilege Vulnerability


A privilege escalation vulnerability has been discovered in the Windows Adobe OpenType Font Driver. This vulnerability manifests as a result of the library incorrectly handling objects in memory. Exploitation of this vulnerability could be achieved by running a specially crafted application that exploits this flaw.

Multiple CVEs - Microsoft SharePoint Cross Site Scripting Elevation of Privilege Vulnerability


Two cross-site scripting vulnerabilities have been identified in Microsoft Sharepoint that could allow an attacker to perform a privilege escalation attack. These vulnerabilities manifest as a result of improper input sanitization for specially crafted web requests. An attacker who exploits these vulnerabilities would be able to run scripts in the context of the affected user, allowing the attacker to read content or perform actions based on that user's permission.

The following is a list of CVEs related to these vulnerabilities.
  • CVE-2018-0789
  • CVE-2018-0790

Multiple CVEs - Microsoft Outlook Remote Code Execution Vulnerability


Two remote code execution vulnerabilities have been identified in Microsoft Outlook that could allow an attacker to execute arbitrary code of their choice on targeted hosts. These vulnerabilities manifest as a result of Microsoft Outlook incorrectly parsing specially crafted emails. An attacker who sends a user a specially crafted email and socially engineers them to open a specially crafted attachment in Outlook could exploit this vulnerability.

The following is a list of CVEs related to these vulnerabilities.
  • CVE-2018-0791
  • CVE-2018-0793

Multiple CVEs - Microsoft Word Remote Code Execution Vulnerability


Multiple arbitrary code execution vulnerabilities have been identified in Microsoft Word. These vulnerabilities manifest as a result of Microsoft Word incorrectly handing objects in memory. An attacker who exploits one of these vulnerabilities could execute arbitrary code of their choosing on targeted hosts. Scenarios where this could occur include email-based attacks or other scenarios involving social engineering where the attackers convince the user to open a specially crafted Word document.

The following is a list of CVEs related to these vulnerabilities.
  • CVE-2018-0792
  • CVE-2018-0794
  • CVE-2018-0805
  • CVE-2018-0806
  • CVE-2018-0807
  • CVE-2018-0812

CVE-2018-0796 - Microsoft Excel Remote Code Execution Vulnerability


An arbitrary code execution vulnerabilty have been identified in Microsoft Excel. This vulnerability manifests as a result of Microsoft Excel incorrectly handing objects in memory. An attacker who exploits this vulnerability could execute arbitrary code of their choosing on targeted hosts. Scenarios where this could occur include email-based attacks or other scenarios involving social engineering where the attackers convince the user to open a specially crafted Excel spreadsheet.

Multiple CVEs - Microsoft Office Memory Corruption Vulnerability


Multiple arbitrary code execution vulnerabilities have been identified in Microsoft Office. These vulnerabilities manifest as a result of Microsoft Office incorrectly handing objects in memory. An attacker who exploits one of these vulnerabilities could execute arbitrary code of their choosing on targeted hosts. Scenarios where this could occur include email-based attacks or other scenarios involving social engineering where the attackers convince the user to open a specially crafted Office file.

The following is a list of CVEs related to these vulnerabilities.
  • CVE-2018-0795
  • CVE-2018-0798
  • CVE-2018-0801
  • CVE-2018-0802

CVE-2018-0799 - Microsoft Access Tampering Vulnerability


A cross-site scripting vulnerability has been identified in Microsoft Access. This vulnerability manifests as a result of Microsoft Access incorrectly handling and sanitizing inputs to image fields editing within Design view. An attacker who exploits this vulnerability could execute arbitrary JavaScript in the context of the current user. An attacker could then read content or perform actions on behalf on the user on a remote site. Exploitation of this vulnerability could be achieved by opening a specially crafted Access file.

CVE-2018-0803 - Microsoft Edge Elevation of Privilege Vulnerability


A vulnerability in Microsoft Edge has been identified that could result in privilege escalation if exploited. This vulnerability manifests as a result of Edge incorrectly enforcing cross-domain policies. Successful exploitation could result in a user obtaining elevated privileges.

CVE-2018-0818 - Scripting Engine Security Feature Bypass


A security feature bypass vulnerability has been identified in Microsoft Chakra that could allow an attacker to bypass Control Flow Guard. An attacker could exploit this vulnerability by creating a specially crafted web page designed to exploit this vulnerability and convincing a user to visit the web page.

CVE-2018-0819 - Spoofing Vulnerability in Microsoft Office for Mac


A spoofing vulnerability in Microsoft Outlook for Mac has been discovered and manifests as a result of Outlook for Mac incorrectly handling the encoding and display of email addresses. As a result, antivirus and anti-spam scanning may not work as intended.

Vulnerabilities Rated Moderate


Microsoft has assigned the following vulnerabilities an Moderate severity rating:
  • CVE-2018-0785 - ASP.NET Core Cross Site Request Forgery Vulnerability
The following is a brief description of this vulnerability:

CVE-2018-0785 - ASP.NET Core Cross Site Request Forgery Vulnerability


A Cross Site Request Forgery (CSRF) vulnerability has been discovered affecting ASP.NET Core web applications that were created using vulnerable project templates. Successful exploitation of this vulnerability could allow an attacker to modify recovery codes associated with accounts to which the attacker should not have access to, resulting in the user being locked out of their account in situations where the user attempts to access their account after losing their 2FA device.

Coverage


In response to these vulnerability disclosures, Talos is releasing the following Snort rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Snort Rules:

  • 45374-45379
  • 45383-45384
  • 45387-45392
  • 45395-45396
  • 45402-45403


No comments:

Post a Comment