Tuesday, November 13, 2018

Microsoft Patch Tuesday — November 2018: Vulnerability disclosures and Snort coverage

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 53 vulnerabilities, 11 of which are rated "critical," 40 that are rated "important” and one “moderate” and “low” vulnerability, each.

The advisories cover bugs in the Chakra scripting engine, Microsoft Outlook and DirectX.

This update also includes three advisories. One covers vulnerabilities in Adobe Flash Player, and another covers important bugs in the Microsoft Surface tablet. Additionally, there is guidance for how users should configure BitLocker in order to properly enforce software encryption.

For more on our coverage for these vulnerabilities, check out the SNORTⓇ blog post here.

Critical vulnerabilities

Microsoft disclosed 11 critical vulnerabilities this month, which we will highlight below. There is also a critical advisory covering Adobe Flash Player.

CVE-2018-8541, CVE-2018-8542, CVE-2018-8543, CVE-2018-8551, CVE-2018-8555, CVE-2018-8556, CVE-2018-8557 and CVE-2018-8588 are all memory corruption vulnerabilities in the Chakra scripting engine. They all lie in the way that the scripting engine handles objects in memory in the Microsoft Edge internet browser. These vulnerabilities could corrupt memory in a way that an attacker could execute code in the context of the current user. An attacker needs to convince a user to open a specially crafted, malicious website on Microsoft Edge in order to exploit these bugs.

CVE-2018-8476 is a remote code execution vulnerability in the Windows Deployment Services TFTP server. The bug lies in the way the TFTP server handles objects in memory. An attacker could exploit this vulnerability by supplying the user with a specially crafted request.

CVE-2018-8553 is a remote code execution vulnerability in Microsoft Graphics Components that lies in the way Graphics Components handles objects in memory. An attacker can exploit this vulnerability by providing the user with a specially crafted file.

CVE-2018-8544 is a remote code execution vulnerability that exists in the way that the VBScript engine handles objects in memory. An attacker needs to trick a user into visiting a specially crafted website on Internet Explorer in order to exploit this vulnerability. Alternatively, the attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts Internet Explorer’s rendering engine.

ADV180025 addresses several vulnerabilities in Adobe Flash Player, which are outlined by Adobe in a separate release. Microsoft recommends updating to the latest version of Flash Player, as well as disabling Flash on its web browsers.

Important vulnerabilities

There are also 40 important vulnerabilities in this release. We would like to specifically highlight seven of them.

CVE-2018-8256 is a remote code execution vulnerability in PowerShell when it improperly handles specially crafted files. An attacker could execute malicious code on a vulnerable system. This update fixes the vulnerability by ensuring that PowerShell properly handles files.

CVE-2018-8574 and CVE-2018-8577 are remote code execution vulnerabilities in Microsoft Excel that occurs when the software fails to properly handle objects in memory. An attacker could exploit this bug by tricking the user into opening a specially crafted Excel file, either as an email attachment or another method.

CVE-2018-8582 is a remote code execution vulnerability in Microsoft Outlook when the software fails to properly parse specially modified rule export files. Users who have their settings configured to allow fewer user rights are less impacted by this vulnerability than those who operate with administrative user rights. Workstations and terminal servers that use Microsoft Outlook are also at risk. An attacker needs to convince a user to open a specially crafted rule export file in an email in order to trigger this bug.

CVE-2018-8450 is a remote code execution vulnerability that exists when Windows Search handles objects in memory. An attacker could trigger this vulnerability by sending a specially crafted function to the Windows Search service, or via an SMB connection.

CVE-2018-8550 is an elevation of privilege in Windows COM Aggregate Marshaler. An attacker who successfully exploits the vulnerability could run arbitrary code with elevated privileges. The vulnerability does not directly allow the user to execute arbitrary code, but it could be used in conjunction with other bugs to execute code with elevated privileges.

CVE-2018-8570 is a remote code execution vulnerability in Internet Explorer that exists when the web browser improperly accesses objects in memory. An attacker could exploit this bug by hosting a malicious website on Internet Explorer and then convincing the user to visit the link.

The other important vulnerabilities are:

Moderate vulnerabilities

The one moderate vulnerability is CVE-2018-8546, a denial-of-service vulnerability in the Skype video messaging service.

Low vulnerability

There is also one low-rated vulnerability, CVE-2018-8416, which is a tampering vulnerability in the .NET Core.

Coverage

In response to these vulnerability disclosures, Talos is releasing the following SNORTⓇ rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.


Snort rules: 32637, 45142, 45143, 48399 - 48404, 48374 - 48388, 48393 - 48395, 48360 - 48373, 48408 - 48410

No comments:

Post a Comment