The March 2018 Security Update Review

Tomorrow in Vancouver, Pwn2Own returns and sees some of the best researchers in the world attempt to take down the latest offerings from the largest vendors. Today, Adobe and Microsoft released the final patches prior to the contest. Let’s take a closer look at these updates (and hope they don’t disrupt Pwn2Own contestants too much).

Adobe Patches for March 2018

So far, Adobe has released only one update for March, and that's a patch for Flash correcting two Critical-rated CVEs. Neither of these bugs are listed as being under active attack. I say "so far," because it appears Adobe is still working on some additional patches. As of publication time, they haven't updated their bulletin summary page, which could indicate more patches are coming. If they do release more patches, we'll update this blog to reflect the changes.

UPDATE: Adobe has released two additional patches. The first patch corrects two Important-rated issues in Adobe Connect. This resolves a command injection bug and an unrestricted file upload vulnerability. The other update corrects only a single bug in Adobe Dreamweaver. This is also a command injection vulnerability. None of these bugs were reported as being public or under active attack. The five CVEs addressed by Adobe for March are definitely a stark contrast to the large update from Microsoft.

Microsoft Patches for March 2018

Microsoft released a whopping 75 security patches for March covering Internet Explorer (IE), Edge, ChakraCore, Microsoft Windows, Microsoft Office, and ASP.NET Core. Of these 75 CVEs, 14 are listed as Critical and 61 are rated Important in severity. Six of these CVEs came through the ZDI program. Two of these bugs are listed as being publicly known, but none are listed as being under active attack.

Let’s take a closer look at some of the more interesting patches for this month.

-          CVE-2018-0886 – CredSSP Remote Code Execution Vulnerability
This patch corrects a truly fascinating bug. For those not familiar with the component, the Credential Security Support Provider protocol (CredSSP) lets an app delegate a user’s credentials from the client to the target server for remote authentication. It’s important to understand this is not a constrained delegation. CredSSP passes the user's full credentials to the server without any constraint. That’s a key to how an attacker would exploit the bug. For example, with a Remote Desktop Protocol (RDP) session, an attacker could perform a man-in-the-middle attack to essentially take control of the session. It’s also important to note that simply applying the patch isn’t sufficient to be fully protected. Sysadmins must also enable Group Policy settings on their systems and update their Remote Desktop clients. While these settings are disabled by default, Microsoft does provide instructions to enable them. Of course, another alternative is to completely disable RDP, but since many enterprises rely on this service, that may not be a practical solution.

-          CVE-2018-0940 – Microsoft Exchange Elevation of Privilege Vulnerability
Another of the publicly known bugs for March involves an elevation of privilege vulnerability within Exchange Outlook Web Access (OWA). This patch corrects a bug in OWA that fails to properly sanitize links presented to users. An attacker could use this vulnerability to replace a legitimate OWA interface with a fake login page. Once at the page, the user would be enticed to enter their real credentials. However, based on the advisory, the attack requires a user to click the malicious link in order to be susceptible. Still, this is the sort of bug used in spear-phishing attacks.

-          CVE-2018-0868 – Windows Installer Elevation of Privilege Vulnerability
This bug in the Windows Installer could allow an elevation of privilege due to the improper sanitization of input. The multiple logic bugs could result in code execution with elevated privileges. At first glance, this doesn’t seem very crucial since an attacker would need the ability to run programs on a target system to exploit this vulnerability. However, this type of bug is often used by malware authors to “piggyback” their malicious code on top of innocuous code. It’s always easier to convince someone to install ‘GreatNewGame.exe’ instead of ‘EvilMalware.exe.’

Here’s the full list of CVEs released by Microsoft for March 2018.

Beyond what we’ve already covered, this month sees a whopping 21 browser-related fixes, 14 of which are rated Critical. It’s not surprising to see a rush of browser fixes released immediately prior to Pwn2Own, as browsers are a frequently targeted platform during the contest. There were also 14 kernel-related bug fixes released, which will definitely make the sandbox escapes seen in Pwn2Own more difficult. For contestants, testing their exploits on Tuesday night prior to the contest is always a nerve-racking time, as all targets in the contest will be fully patched.

This month also sees a plethora of Office-related bug fixes, including 13 for SharePoint alone. All of these involve bugs with input sanitization that could allow cross-site scripting (XSS) attacks. This month also sees multiple Exchange patches, which always tend to make sysadmins nervous. The March release is rounded out by patches for ASP.NET and Windows OS components. Folks with ASP.NET Core applications should definitely take note since some of these bugs could cause those apps to crash.

Finally, Microsoft also released their version of the aforementioned Adobe patch for Flash in Internet Explorer.

Looking Ahead

The next patch Tuesday falls on April 10, and we’ll return with details and patch analysis then. Follow us on Twitter and keep an eye on this blog to see all of the results from Pwn2Own. Until then, happy patching and may all your reboots be smooth and clean!