The February 2018 Security Update Review
February 13, 2018 | Dustin ChildsThis month has brought a bouquet of new patches from Adobe, Apple, and Microsoft. Take a break from your Winter Olympic viewing party as we review the details for February’s security updates.
Adobe Patches for February 2018
Adobe kicked off their February patches early with an update for Flash released last week. The release patches two bugs, one of which was reported to be under active attack. The exploit was embedded in an Excel spreadsheet and discovered in South Korea. Included in the Flash patch was a similar bug reported through the ZDI program.
Today, Adobe released patches for Acrobat Reader and Experience Manager. The Reader update resolves 17 Critical and 24 Important severity bugs. There’s an interesting Security Mitigation Bypass listed as Critical, but most of these vulnerabilities are the more stand code execution upon opening a crafted PDF. A total of 26 of these bugs came through the ZDI program. The Experience Manager patch resolves one Important and one Moderate bug, although both are related to cross-site scripting (XSS). Unlike the Flash patch, neither of these bulletins list any of their CVEs being under active attack.
Apple Patches for February 2018
In late January, Apple released patches for macOS, iOS, watchOS, tvOS, iTunes for Windows, iCloud for Windows, and Safari to address a variety of issues. This group of patches includes a fix for Meltdown in the latest versions of macOS Sierra (10.12.6), and OS X El Capitan (10.11.6). Prior to these patches, macOS users were forced to upgrade their whole OS if they wanted a fix for the CPU bug. Other notable fixes address problems in the kernel and remote code execution bugs in Webkit. One of the bugs addressed by these patches came through the ZDI program.
Microsoft Patches for February 2018
Microsoft released 50 security patches for February covering Internet Explorer (IE), Microsoft Edge, ChakraCore, Microsoft Windows, and Microsoft Office. Of these 50 CVEs, 14 are listed as Critical, 34 are rated Important, and 2 are rated Moderate in severity. Eight of these CVEs came through the ZDI program. One of these bugs are listed as being publicly known, but none are listed as being under active attack.
Let’s take a closer look at some of the more interesting patches to start out the year.
- CVE-2018-0852 – Microsoft Outlook Memory Corruption Vulnerability
Even more than the publicly known bugs, this CVE falls into the “Patch Now!” category. This bug allows an attacker to get code execution through vulnerable versions of Microsoft Outlook. What’s truly frightening with this bug is that the Preview Pane is an attack vector, which means simply viewing an email in the Preview Pane could allow code execution. The end user targeted by such an attack doesn’t need to open or click on anything in the email – just view it in the Preview Pane. If this bug turns into active exploits – and with this attack vector, exploit writers will certainly try – unpatched systems will definitely suffer.
It’s interesting to note this bug was discovered by former Pwn2Own winner Nicolas Joly, who now works for Microsoft. Internally found vulnerabilities used to be shuffled off to the next version of the product and not patched through security bulletins. Kudos to Microsoft for changing this stance and proactively releasing patches for internal finds.
- CVE-2018-0850 – Microsoft Outlook Elevation of Privilege Vulnerability
Speaking of Pwn2Own, this second bug from Nicolas Joly would likely have been a winner in the Enterprise Application category. This bug occurs when an attacker sends a maliciously crafted email to a victim. The email would need to be fashioned in a manner that forces Outlook to load a message store over SMB. Outlook attempts to open the pre-configured message on receipt of the email. You read that right – not viewing, not previewing, but upon receipt. That means there’s a potential for an attacker to exploit this merely by sending an email. Between this bug and CVE-2018-0852, it’s not a good month to be an email client. Again, this bug falls into the category of “Patch Now!”, so complete your testing and deploy these patches as soon as you can.
- CVE-2018-0771 – Microsoft Edge Security Feature Bypass Vulnerability
The only bug listed as publicly known for February involves the Edge browser. This bug could allow an attacker to bypass Same-Origin Policy (SOP) restrictions and allow requests that should otherwise be ignored. The result of such an attack would force the browser to disclose info it normally wouldn’t. While interesting from a technical viewpoint, this is not as likely to see much use outside of very targeted attacks in the wild.
Here’s the full list of CVEs released by Microsoft for February 2018.
| CVE | Title | Severity | Public | Exploited | XI - Latest | XI - Older |
| CVE-2018-0771 | Microsoft Edge Security Feature Bypass Vulnerability | Moderate | Yes | No | 2 | N/A |
| CVE-2018-0763 | Microsoft Edge Information Disclosure Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2018-0825 | StructuredQuery Remote Code Execution Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2018-0834 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2018-0835 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2018-0837 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2018-0838 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2018-0840 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2018-0852 | Microsoft Outlook Memory Corruption Vulnerability | Critical | No | No | 2 | 2 |
| CVE-2018-0856 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2018-0857 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2018-0858 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2018-0859 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2018-0860 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2018-0861 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2018-0742 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-0755 | Windows EOT Font Engine Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2018-0756 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-0757 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2018-0760 | Windows EOT Font Engine Information Disclosure Vulnerability | Important | No | No | 2 | 1 |
| CVE-2018-0761 | Windows EOT Font Engine Information Disclosure Vulnerability | Important | No | No | 2 | 1 |
| CVE-2018-0809 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-0810 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2018-0820 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-0821 | Windows AppContainer Elevation Of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-0822 | Windows NTFS Global Reparse Point Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-0823 | Named Pipe File System Elevation of Privilege Vulnerability | Important | No | No | 1 | N/A |
| CVE-2018-0826 | Windows Storage Services Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-0827 | Windows Security Feature Bypass Vulnerability | Important | No | No | 2 | 2 |
| CVE-2018-0828 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 |
| CVE-2018-0829 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2018-0830 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2018-0831 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 |
| CVE-2018-0832 | Windows Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2018-0836 | Scripting Engine Memory Corruption Vulnerability | Important | No | No | 1 | N/A |
| CVE-2018-0839 | Microsoft Edge Information Disclosure Vulnerability | Important | No | No | 1 | N/A |
| CVE-2018-0841 | Microsoft Office Remote Code Execution Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-0842 | Windows Remote Code Execution Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-0843 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | N/A |
| CVE-2018-0844 | Windows Common Log File System Driver Elevation Of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-0846 | Windows Common Log File System Driver Elevation Of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-0847 | Internet Explorer Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-0850 | Microsoft Outlook Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 |
| CVE-2018-0851 | Microsoft Office Memory Corruption Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-0853 | Microsoft Office Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
| CVE-2018-0855 | Windows EOT Font Engine Information Disclosure Vulnerability | Important | No | No | N/A | 1 |
| CVE-2018-0866 | Scripting Engine Memory Corruption Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-0864 | Microsoft SharePoint Elevation of Privilege Vulnerability | Important | No | No | 3 | N/A |
| CVE-2018-0869 | Microsoft SharePoint Elevation of Privilege Vulnerability | Important | No | No | 3 | 3 |
| CVE-2018-0833 | Windows Denial of Service Vulnerability | Moderate | No | No | N/A | 3 |
Beyond what we’ve previously covered, this month sees a dozen memory corruption bugs in the browser. This continues the trend of browser bugs being the majority of Critical patches from Microsoft. There’s also a Critical bug in the Windows StructuredQuery component that could allow remote code execution at the level of the logged-on user. Unlike the Outlook bugs listed above, this one requires the target to either open a malicious file or browse to a malicious website. This user action is also required on the other Office bugs patched by today’s release.
There are more than 10 different kernel issues being patched today. Most of these are either information disclosure or local escalation of privilege. Then there’s CVE-2018-0842, which is titled, “Windows Remote Code Execution Vulnerability.” Microsoft lists no attack vector here, and while the title makes you think Critical, it’s only listed as Important. February’s release is rounded out with additional patches for various Windows components and fixes for SharePoint.
Finally, Microsoft also released their version of the aforementioned Adobe patch for Flash in Internet Explorer. They followed Adobe by releasing this last week in an effort to thwart the active attacks.
Looking Ahead
The next patch Tuesday falls on March 13, and we’ll return with details and patch analysis then as we make final preparations for Pwn2Own 2018. Follow us on Twitter to see the latest and greatest coming from the ZDI program. Until then, happy patching and may all your reboots be smooth and clean!