Tuesday, August 14, 2018

Microsoft Tuesday August 2018


Microsoft released its monthly set of security advisories today for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 62 new vulnerabilities, 20 of which are rated “critical,” 38 that are rated “important,” one that is rated moderate and one that is rated as low severity. These vulnerabilities impact Windows Operating System, Edge and Internet Explorer, along with several other products.

In addition to the 60 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180020 which addresses the vulnerabilities described in the Adobe Flash Security Bulletin APSB18-25.

Critical Vulnerabilities


This month, Microsoft is addressing 20 vulnerabilities that are rated "critical." Talos believes 10 of these are notable and require prompt attention.

CVE-2018-8273 is a remote code execution vulnerability in the Microsoft SQL Server that could allow an attacker who successfully exploits the vulnerability to execute code in the context of the SQL Server Database Engine Service account.

CVE-2018-8302 is a remote code execution vulnerability in the Microsoft Exchange email and calendar software that could allow an attacker who successfully exploits the vulnerability to run arbitrary code in the context of the system user when the software fails to properly handle objects in memory.

CVE-2018-8344 is a remote code execution vulnerability that exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploits this vulnerability could take control of the affected system. This vulnerability can be exploited in multiple ways. By leveraging a web-based attack, an attacker can convince a user to visit a web page that has been specially crafted to exploit this vulnerability. This could be in the form of an attacker-controlled webpage, or simply a page that hosts external content, such as advertisements. An attacker can also provide a specially crafted document that is designed to exploit the vulnerability, and then convince users to open the document file.

CVE-2018-8350 is a remote code execution vulnerability that exists when the Microsoft Windows PDF Library improperly handles objects in memory. An attacker who successfully exploits the vulnerability could gain the same user rights as the current user. The vulnerability can be exploited simply by viewing a website that hosts a malicious PDF file on a Windows 10 system with Microsoft Edge set as the default browser. On other affected systems, that do not render PDF content automatically, an attacker would have to convince users to open a specially crafted PDF document, such as a PDF attachment to an email message.

CVE-2018-8266, CVE-2018-8355, CVE-2018-8380,  CVE-2018-8381 and CVE-2018-8384 are remote code execution vulnerabilities that exist in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. An attacker who successfully exploits the vulnerability can potentially gain the same user rights as the current user. This vulnerability could be leveraged in web-based attacks where a user is convinced to visit a web page that has been specially crafted to exploit this vulnerability. This could be in the form of an attacker-controlled webpage, or simply a page that hosts external content, such as advertisements.

CVE-2018-8397 is a remote code execution vulnerability that exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploits this vulnerability could take control of the affected system. This vulnerability can be exploited in multiple ways. By leveraging a web-based attack, an attacker can convince a user to visit a webpage that has been specially crafted to exploit this vulnerability. This could be in the form of an attacker-controlled webpage, or simply a page that hosts external content, such as advertisements. An attacker can also provide a specially crafted document file that is designed to exploit the vulnerability, and then convince users to open the document file.
Other vulnerabilities deemed "critical" are listed below:

CVE-2018-8345    LNK Remote Code Execution Vulnerability
CVE-2018-8359    Scripting Engine Memory Corruption Vulnerability
CVE-2018-8371    Scripting Engine Memory Corruption Vulnerability
CVE-2018-8372    Scripting Engine Memory Corruption Vulnerability
CVE-2018-8373    Scripting Engine Memory Corruption Vulnerability
CVE-2018-8377    Microsoft Edge Memory Corruption Vulnerability
CVE-2018-8385    Scripting Engine Memory Corruption Vulnerability
CVE-2018-8387    Microsoft Edge Memory Corruption Vulnerability
CVE-2018-8390    Scripting Engine Memory Corruption Vulnerability
CVE-2018-8403    Microsoft Browser Memory Corruption Vulnerability

Important Vulnerabilities


This month, Microsoft is addressing 38 vulnerabilities that are rated "important." Talos believes two of these are notable and require prompt attention.

CVE-2018-8200 is a vulnerability that exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. An attacker who successfully exploits this vulnerability can potentially inject code into a trusted PowerShell process to bypass the Device Guard code integrity policy on the local machine. To exploit the vulnerability, an attacker would first have to access the local machine and then inject malicious code into a script that is trusted by the policy. The injected code would then run with the same trust level as the script and bypass the policy.

CVE-2018-8340 is a vulnerability in the Windows Authentication Methods, and enables an Active Directory Federation Services (AD FS)  Security Bypass vulnerability. An attacker who successfully exploits this vulnerability could bypass some, but not all, of the authentication factors.

Other vulnerabilities deemed "important" are listed below:

CVE-2018-0952    Diagnostic Hub Standard Collector Elevation Of Privilege Vulnerability
CVE-2018-8204    Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
CVE-2018-8253    Cortana Elevation of Privilege Vulnerability
CVE-2018-8316    Internet Explorer Remote Code Execution Vulnerability
CVE-2018-8339    Windows Installer Elevation of Privilege Vulnerability
CVE-2018-8341    Windows Kernel Information Disclosure Vulnerability
CVE-2018-8342    Windows NDIS Elevation of Privilege Vulnerability
CVE-2018-8343    Windows NDIS Elevation of Privilege Vulnerability
CVE-2018-8346    LNK Remote Code Execution Vulnerability
CVE-2018-8347    Windows Kernel Elevation of Privilege Vulnerability
CVE-2018-8348     Windows Kernel Information Disclosure Vulnerability
CVE-2018-8349    Microsoft COM for Windows Remote Code Execution Vulnerability
CVE-2018-8351    Microsoft Edge Information Disclosure Vulnerability
CVE-2018-8353    Scripting Engine Memory Corruption Vulnerability
CVE-2018-8357    Microsoft Browser Elevation of Privilege Vulnerability
CVE-2018-8358    Microsoft Browser Security Feature Bypass Vulnerability
CVE-2018-8360    .NET Framework Information Disclosure Vulnerability
CVE-2018-8370    Microsoft Edge Information Disclosure Vulnerability
CVE-2018-8375    Microsoft Excel Remote Code Execution Vulnerability
CVE-2018-8376    Microsoft PowerPoint Remote Code Execution Vulnerability
CVE-2018-8378    Microsoft Office Information Disclosure Vulnerability
CVE-2018-8379    Microsoft Excel Remote Code Execution Vulnerability
CVE-2018-8382    Microsoft Excel Information Disclosure Vulnerability
CVE-2018-8383    Microsoft Edge Spoofing Vulnerability
CVE-2018-8389    Scripting Engine Memory Corruption Vulnerability
CVE-2018-8394    Windows GDI Information Disclosure Vulnerability
CVE-2018-8396    Windows GDI Information Disclosure Vulnerability
CVE-2018-8398    Windows GDI Information Disclosure Vulnerability
CVE-2018-8399    Win32k Elevation of Privilege Vulnerability
CVE-2018-8400    DirectX Graphics Kernel Elevation of Privilege Vulnerability
CVE-2018-8401    DirectX Graphics Kernel Elevation of Privilege Vulnerability
CVE-2018-8404    Win32k Elevation of Privilege Vulnerability
CVE-2018-8405    DirectX Graphics Kernel Elevation of Privilege Vulnerability
CVE-2018-8406    DirectX Graphics Kernel Elevation of Privilege Vulnerability
CVE-2018-8412    Microsoft (MAU) Office Elevation of Privilege Vulnerability
CVE-2018-8414    Windows Shell Remote Code Execution Vulnerability

 Coverage


In response to these vulnerability disclosures, Talos is releasing the following Snort rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

Snort Rules:

45877-45878, 46548-46549, 46999-47002, 47474-47493, 47495-47496, 47503-47504, 47512-47513, 47515-47520

No comments:

Post a Comment