September Patch Tuesday 2018
This month has a light third party line-up with a couple of non-Microsoft updates for Adobe Flash and Google Chrome with a moderate Microsoft line-up. Microsoft released fixes for 61 unique CVEs this month including the fix for the ALPC Elevation of Privilege vulnerability (CVE-2018-8440) that was disclosed and has been used in limited attacks in the wild. There are three additional publicly disclosed vulnerabilities resolved (CVE-2018-8409, CVE-2018-8457, CVE-2018-8475).
Amber Boehm (Manager, Product Marketing), had this to say about this month's Patch Tuesday:
"Across the globe the season is changing, but for September Patch Tuesday the forecast is much as it was last month—another zero day, some public disclosures, a light smattering of third-party updates, and 60+ vulnerabilities resolved by Microsoft. Déjà vu! Also part of our regular patch weather pattern these days, we’re reporting cases of elevation of privilege among the CVEs. So, as we say in this part of the world, “rinse and repeat” with your security procedures: 1) patch in order of criticality, and 2) make sure you have a multi-layered security solution in place."
Microsoft Affected Products:
- Internet Explorer
- Microsoft Edge
- Microsoft Windows
- Microsoft Office and Microsoft Office Services and Web Apps
- Adobe Flash Player
- .NET Framework
- Re-release of Exchange 2010 update from May (this one nearly snuck by under the radar)
CVE-2018-8440 is an Elevation of Privilege Vulnerability in Windows Advanced Local Procedure Call (ALPC). This was first disclosed on August 27th, 2018 when a frustrated security researcher SandboxEscaper released her findings through Twitter. CERT/CC confirmed the vulnerability was real and the proof-of-concept code worked in an advisory also released on the 27th.
“Microsoft Windows task scheduler contains a vulnerability in the handling of ALPC, which can allow a local user to gain SYSTEM privileges,” the alert stated.
An attacker who successfully exploits this vulnerability could run arbitrary code in the context of the local system which pretty much gives them the run of the system.
CVE-2018-8409 is a Denial of Service (DoS) Vulnerability in System.IO.Pipelines which could allow an attacker to cause a DoS against an application that is leveraging System.IO.Pipelines. This vulnerability can be exploited remotely, without authentication. The challenge with this update is that you need to take the new versions of .NET Core 2.1 or ASP.NET Core 2.1 and implement the updated binaries into your application. It is not a simple patch that can be applied.
CVE-2018-8457 is a Memory Corruption Vulnerability in Microsoft’s Scripting Engine. An attacker could corrupt memory in such a way that they could execute arbitrary code in the context of the current user. The attacker would gain equal rights to the user context they exploit. Least Privilege will mitigate the impact if this vulnerability is successfully exploited. There are multiple user-targeted attack vectors that could be used to exploit this vulnerability, including web-based attack scenarios where specially created websites could host malicious content, as an embed in an ActiveX control marked “safe for initialization” within an application or Office document.
CVE-2018-8475 is a Remote Code Execution Vulnerability in Windows that could allow remote code execution by specially crafting an image file to take advantage of the vulnerability. The attacker would execute arbitrary code. This is a user-targeted vulnerability meaning the attacker would need to convince a user to open the specially crafted image file, which is not difficult at all. Phishing is still a statistical challenge, not a true barrier.
Non-Microsoft Affected Products:
- Adobe Flash Player
- Google Chrome dropped late in the day on Patch Tuesday AND they also released last week (released 9/5/2018)
- Mozilla Firefox (released 9/5/2018)
Adobe Flash and Google Chrome dropped today with an update each. Mozilla Firefox and Google Chrome also released updates last week, so Flash and all browsers need updates. Adobe Flash resolved one CVE in this release and is only rated as Important. Chrome resolved two CVEs that were urgent enough that they released another update a week apart.
Here at Ivanti we keep an eye on a few key indicators of risk. These provide us a way to sift through the sea of updates and vulnerabilities to apply some better logic and prioritization based on attack vectors, mitigation options, and tangible risks.
- Zero-Day – This is the obvious one. Someone is already exploiting this in the wild. Patch it ASAP because someone is actively taking advantage of the vulnerability. Example this month: CVE-2018-8440.
- Public Disclosure – This is a vulnerability that has been disclosed at a level where enough information or potentially proof-of-concept code is available to make building a live exploit easier. This increases the odds that the vulnerability will be exploited. Attackers have a window of opportunity that declines over time. If they can exploit before a vendor can respond they know they have an exploit that is wide open. From the point an update is released their window starts to close. If they can develop an exploit in the first two to four weeks they have a highly usable exploit. CVE-2018-8440 is another good example this month as this public disclosure turned around in less than a week and became a zero-day.
- User-Targeted – A vulnerability that requires an attacker to convince a user to click on a link, open a doc or PDF, view a specially crafted website, etc. Phishing, watering hole attacks and drive-by downloads are examples. This is a low-cost way for an attack to start so they are attractive methods to gain initial access to an environment. This month nearly all of the Microsoft updates and the Flash and browser updates include user-targeted vulnerabilities.
- Least Privilege \ Privilege Management Mitigates Impact – In a day and age when enabling users means giving them admin rights to make life easier for everyone, this has become a much larger issue. Shadow IT is only one side effect of relinquishing admin privileges. In many cases a vulnerability would only gain the attacker equal rights to the user who was exploited. If that use is a full admin, then they own the system. Now, this month has an ample number of Elevation-of-Privilege vulnerabilities as well, but this indicator shows additional security controls that can work together to mitigate impact and slow attackers, giving more time to detect a threat in your environment.