May Patch Tuesday 2018
Microsoft has released their Patch Tuesday update and it includes quite the lineup this month. 66 unique CVEs are being resolved this month. This includes two zero-day vulnerabilities and two public disclosures. The updates this month affect Microsoft Windows, Internet Explorer, Edge, Office, .Net Framework, Exchange Server, and Host Compute Service Shim.
CVE-2018-8120 is a vulnerability in older Windows OS versions (Windows 7, Server 2008, Server 2008 R2) that has been detected in exploits in the wild. This vulnerability allows an attacker who is logged onto a system to run a specially crafted file to gain privileged access to the system. At that point the attacker would have full permissions to install or remove programs, add users, view, change, or delete data. This type of vulnerability is how a threat actor would elevate their privileges to gain full access to a system. Least Privilege is a critical security control to limit an attacker's ability to move laterally through an environment, but this is a good example of why other security controls like patching and application control are required to effectively defend against an attacker.
The question of a possible fix for the Double Kill exploit that was discovered in the wild has been answered. CVE-2018-8174 resolves a vulnerability in Windows VBScript Engine that could allow an attacker to corrupt memory in such a way that they could execute arbitrary code in the context of the current user. This vulnerability could be exploited through web-based, embedded ActiveX application, or specially crafted Office documents that host the IE rendering engine. Compromised websites that accept or host user-provided content or ads could also be utilized to exploit the vulnerability. In the case where the attacker does not gain privilege access to the compromised system, exploiting an Elevation of Privilege vulnerability like CVE-2018-8120 could gain them the access they need to further their attack toward their goal.
There are two public disclosures this month. Public disclosure means that a vulnerability has been identified and there is enough proof-of-concept code or documentation regarding how the vulnerability works so that a threat actor has an advantage in creating an exploit before companies will have a chance to push an update. CVE-2018-8141 is an Information Disclosure vulnerability in the Windows Kernel that could allow an attacker to gain additional information to further compromise the system. CVE-2018-8170 is a vulnerability in Windows Image that could allow Elevation of Privilege. In both cases an attacker would need to have logged on or gained locally authenticated access to the system to exploit.
Aside from the two zero-day vulnerabilities resolved in this month’s OS updates there are a number of additional Critical vulnerabilities resolved along with multiple Office critical vulnerabilities. Both OS and Office should require priority attention this month to plug the worst of the vulnerabilities. Exchange server has several vulnerabilities being resolved this month. Most are Important or Low, but there is a Critical vulnerability that warrants some attention. CVE-2018-8154 is a vulnerability in Microsoft Exchange that could allow an attacker to execute arbitrary code in the context of the system user.
Adobe has released a Critical fix for Adobe Flash Player. Only one CVE is resolved, but it is rated as Critical, and Flash Player is still a high-profile target on end-user systems. It is always recommended as a high priority.