The January 2018 Security Update Review
January 09, 2018 | Dustin ChildsHappy New Year, and welcome to 2018’s first Patch Tuesday, with new updates from Apple, Adobe, and Microsoft. Take a break from reading the 2017 ZDI Retrospective and join us as we review January’s patches.
Adobe Patches for January 2018
Starting off the year, Abode released only one Important-severity patch for Flash addressing a total of one CVE. The bug is an out-of-bounds read resulting in an information disclosure. This vulnerability was reported through the ZDI program. While this month’s Adobe release may be small, there are currently 38 Adobe-related cases in our Upcoming queue, so more patches are certainly on the way.
Apple Patches for January 2018
Apple released patches for macOS, iOS, and Safari to correct the Spectre bugs listed as CVE-2017-5753 and CVE-2017-5715. These are the only bugs listed for the updates, but it highlights how pervasive these chip-related flaws truly are. A partial but extensive list of affected vendors can be found over at the CERT website.
Microsoft Patches for January 2018
Microsoft released 56 security patches for January covering Internet Explorer (IE), Microsoft Edge, ChakraCore, Microsoft Windows, Microsoft Office, ASP.NET, and the .NET Framework. Of these 56 CVEs, 16 are listed as Critical and 38 are rated Important, 1 is rated Moderate and 1 is rated as Low in severity. Three of these CVEs came through the ZDI program. One of the CVEs for Office is listed as under attack, and a CVE for the macOS version of Office is listed as publicly known at the time of release.
Let’s take a closer look at some of the more interesting patches to start out the year.
- ADV180002 - Guidance to mitigate speculative execution side-channel vulnerabilities
Released out-of-band (OOB) last week, you’ve likely already heard about these speculative execution side-channel attacks. There has already been a mountain of information produced detailing the attacks, so I won’t re-hash it here. However, there are a few key items to keep in mind when deploying these patches. The first and most important is a change in the patching process itself introduced by this update. A new registry key is required to ensure future updates will be applied. In a supplemental post, Microsoft states they have, “identified a compatibility issue with a small number of antivirus software products,” which prevents the installation of patches. So far, no matrix or guide exists detailing which products are actually affected. For now, it is recommended that everyone install the registry key to ensure future updates are delivered. Our colleagues in the AV side of Trend produced a nice summary of the issue. Again, failure to have this registry key – offered here from Trend Micro – could prevent all future security updates from being offered. Those using the Microsoft Surface need both software and firmware patches. Even if you don’t need the firmware update, you will need multiple patches to fully address the issue. In their advisory, Microsoft lists updates for Windows, Edge, IE, SQL Server, and the Windows Subsystem for Linux. In total, Microsoft released patches for 33 different CVEs on January 3rd related to these vulnerabilities, and even after you apply those, you may need other patches for the chip firmware itself. Finally, several third-party applications have reportedly had problems with the patch(es). In fact, there are so many problems that Microsoft has stopped issuing the patch to some systems with AMD processors. Be sure to review the “Known Issues” section of the KB article for the latest info on what’s working and what isn’t. These bugs are certainly severe, even if they aren’t earth-shattering. If nothing else, they highlight the complexities involved in producing patches for multiple versions of software on multiple architectures, and the interconnected nature of shared vulnerabilities in modern computing systems.
- CVE-2018-0802 – Microsoft Office Memory Corruption Vulnerability
This Office bug is the lone CVE listed as under active attack for this month. The attack scenario is relatively straightforward – convince a user to open a specially crafted Office document. No details about the attacks are provided by Microsoft, but the lack of industry discussion likely means this is being used in a targetted attack.
- CVE-2018-0804 – Microsoft Word Remote Code Execution Vulnerability
This bug looks similar to other Word bugs patched this month, except the severity for this CVE is listed as Low. Normally bugs of this nature rate Important if you click through dialogs or Critical if there’s an Outlook Preview Pane vector. No indication is given as to why this bug would be less severe, so treat this one cautiously.
- CVE-2018-0786 – .NET Security Feature Bypass Vulnerability
This patch addresses a vulnerability in .NET Framework (and .NET Core) that prevents these components from completely validating a certificate. As stated in the advisory, “An attacker could present a certificate that is marked invalid for a specific use, but the component uses it for that purpose. This action disregards the Enhanced Key Usage taggings.” This is definitely the sort of bug malware authors seek, as it could allow their invalid certificates to appear valid.
Here’s the full list of CVEs released by Microsoft for January 2018.
CVE | Title | Severity | Public | Exploited | XI - Latest | XI - Older |
CVE-2018-0819 | Spoofing Vulnerability in Microsoft Office for MAC | Important | Yes | No | 2 | 2 |
CVE-2018-0802 | Microsoft Office Memory Corruption Vulnerability | Important | No | Yes | 3 | 3 |
CVE-2018-0758 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
CVE-2018-0762 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
CVE-2018-0767 | Scripting Engine Information Disclosure Vulnerability | Critical | No | No | 3 | 3 |
CVE-2018-0769 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
CVE-2018-0770 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
CVE-2018-0772 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
CVE-2018-0773 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
CVE-2018-0774 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
CVE-2018-0775 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
CVE-2018-0776 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
CVE-2018-0777 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
CVE-2018-0778 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 3 | 3 |
CVE-2018-0780 | Scripting Engine Information Disclosure Vulnerability | Critical | No | No | 1 | N/A |
CVE-2018-0781 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 3 | 3 |
CVE-2018-0797 | Microsoft Word Memory Corruption Vulnerability | Critical | No | No | 2 | 2 |
CVE-2018-0800 | Scripting Engine Information Disclosure Vulnerability | Critical | No | No | 2 | 2 |
CVE-2018-0805 | Microsoft Word Remote Code Execution Vulnerability | Important | No | No | 3 | 3 |
CVE-2018-0806 | Microsoft Word Remote Code Execution Vulnerability | Important | No | No | 3 | 3 |
CVE-2018-0807 | Microsoft Word Remote Code Execution Vulnerability | Important | No | No | 3 | 3 |
CVE-2018-0812 | Microsoft Word Memory Corruption Vulnerability | Important | No | No | 3 | 3 |
CVE-2018-0818 | Scripting Engine Security Feature Bypass | Important | No | No | 3 | 3 |
CVE-2018-0743 | Windows Subsystem for Linux Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-0741 | Microsoft Color Management Information Disclosure Vulnerability | Important | No | No | N/A | 1 |
CVE-2018-0744 | Windows Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
CVE-2018-0745 | Windows Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
CVE-2018-0746 | Windows Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
CVE-2018-0747 | Windows Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
CVE-2018-0748 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-0749 | SMB Server Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-0750 | Windows GDI Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
CVE-2018-0751 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-0752 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-0753 | Windows IPSec Denial of Service Vulnerability | Important | No | No | N/A | N/A |
CVE-2018-0754 | ATMFD.dll Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
CVE-2018-0764 | .NET and .NET Core Denial Of Service Vulnerability | Important | No | No | 3 | 3 |
CVE-2018-0766 | Microsoft Edge Information Disclosure Vulnerability | Important | No | No | 3 | 3 |
CVE-2018-0768 | Scripting Engine Memory Corruption Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-0784 | ASP.NET Core Elevation Of Privilege Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-0786 | .NET Security Feature Bypass Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-0788 | ATMFD.dll Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
CVE-2018-0789 | Microsoft Office Spoofing Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-0790 | Microsoft Office Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-0791 | Microsoft Outlook Remote Code Execution Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-0792 | Microsoft Word Remote Code Execution | Important | No | No | 2 | 2 |
CVE-2018-0793 | Microsoft Outlook Remote Code Execution | Important | No | No | 1 | 1 |
CVE-2018-0794 | Microsoft Word Remote Code Execution | Important | No | No | 1 | 1 |
CVE-2018-0795 | Microsoft Office Remote Code Execution | Important | No | No | N/A | N/A |
CVE-2018-0796 | Microsoft Excel Remote Code Execution | Important | No | No | 2 | 2 |
CVE-2018-0798 | Microsoft Word Memory Corruption Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-0799 | Microsoft Access Tampering Vulnerability | Important | No | No | 3 | 3 |
CVE-2018-0801 | Microsoft Office Remote Code Execution Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-0803 | Microsoft Edge Elevation of Privilege Vulnerability | Important | No | No | 2 | N/A |
CVE-2018-0785 | ASP.NET Core Cross Site Request Forgery Vulnerabilty | Moderate | No | No | 3 | 3 |
CVE-2018-0804 | Microsoft Word Remote Code Execution Vulnerability | Low | No | No | 3 | 3 |
Beyond what we’ve already discussed, the updates for Edge and IE should lead deployment lists. As with previous months, most of the Critical patches contain the words “Scripting Engine” in the title. There are also quite a few Office bugs patched this month, and those should also be given a high deployment priority. The release wraps up with several updates for .NET Framework and ASP.NET. While not as flashy as many of the other issues patched this month, they shouldn’t be ignored.
Finally, Microsoft released three advisories for January. We’ve already discussed ADV180002, and it is joined by the enigmatic ADV180003 – Microsoft Office Defense in Depth Update. Outside of the title, no information is provided on what defense-in-depth changes were made; just that all supported Office versions (excluding Office for Mac) are affected. Lastly, Microsoft released their version of the aforementioned Adobe patch for Flash in Internet Explorer.
Looking Ahead
The next patch Tuesday falls on February 13, and we’ll return with details and patch analysis then. Follow us on Twitter to see the latest and greatest coming from the ZDI program. Until then, happy patching and may all your reboots be smooth and clean!