The April 2018 Security Update Review
April 10, 2018 | Dustin ChildsApril is here, and with it comes the latest security patches from Adobe, Apple and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for April’s security updates.
Adobe Patches for April 2018
For April 2018, Adobe released updates for five products covering a total of 14 CVEs. The most significant of these releases is the update for Adobe Flash, which addresses three Critical- and three Important-rated CVEs. The Critical bugs include a couple of Out-of-Bounds (OOB) writes and a Use-After-Free that could allow remote code execution. At six CVEs, this is one of the larger Flash patches in a few months. Another significant patch from Adobe this month covers two CVEs in InDesign, one of which is a Critical-rated arbitrary code execution bug. These two patches should be at the top of your Adobe test and deployment schedule for April.
In addition to those already mentioned, there are two Important-rated info disclosure bugs fixed in Adobe Digital Editions. Another patch covers two Important- and one Moderate-rated info disclosure bugs in Experience Manager. The final patch from Adobe this month covers a bug in the Adobe PhoneGap Push Plugin. The patch corrects a Same-Origin Method Execution (SOME) bug that could be used to trick users of PhoneGap apps into executing click events and other unintended user interactions. It should be noted this is a not a patch-and-forget situation. As described in the bulletin, “After updating to the latest version of the plugin, application authors should recompile any apps built with PhoneGap using the new plugin.” That also means the recompiled apps will need to be pushed out to users as well.
Update: After the initial publication of this blog, Adobe also released a patch for Cold Fusion addressing five CVEs. The most severe of these could allow for remote code execution and are rated Critical. Don't miss this one if you have Cold Fusion in your environment.
Apple Patches for April 2018
Apple released their most recent updates on March 29 by addressing a total of 66 different CVEs across iOS, watchOS, tvOS, Xcode, iTunes, macOS, iCloud and Safari. Nine of these CVEs came through the ZDI program, including five Webkit JIT-related bugs from our own Jasiel Spelman (@WanderingGlitch). Since Apple CVEs are often shared between components, we have created this graphic to show which bugs are shared between components. Several kernel bugs are included in these updates and cover both info disclosure and elevation of privilege vulnerabilities. You’ll also see a few of these bugs credited to Pwn2Own winner Samuel Groß (@5aelo). However, none of these fixes relate to bugs disclosed at the contest.
Microsoft Patches for April 2018
Microsoft released 67 security patches for April covering Internet Explorer (IE), Edge, ChakraCore, Windows, Visual Studio, Microsoft Office and Office Services and Web Apps, and the Malware Protection Engine. Of these 67 CVEs, 24 are listed as Critical, 42 are rated Important, and one is listed as Moderate in severity. Seven of these CVEs came through the ZDI program. Only one of these bugs is listed as being publicly known, and none are listed as being under active attack.
Let’s take a closer look at some of the more interesting patches for this month.
- CVE-2018-8117 – Microsoft Wireless Keyboard 850 Security Feature Bypass Vulnerability
Patches for hardware are rare, and patches for keyboards are especially rare, so it was somewhat shocking to see this bug detailed. However, the severity of this bug should not be scoffed at. This vulnerability could affect you in two ways. First, an attacker could read your keystrokes – effectively turning your keyboard into a keystroke logger. Everything you type – passwords, account details, emails – could be viewed. The other result of this bug could allow an attacker to inject keystrokes to an affected system. All of this is due to the attacker being able to reuse an AES encryption key. Fortunately, to exploit this, the attacker must extract the AES encryption key from the affected keyboard – not a trivial task. Still, it’s a fascinating bug. If you have this keyboard, do not miss applying this patch.
- CVE-2018-1004 – Windows VBScript Engine Remote Code Execution Vulnerability
This Critical-rated bug for the VBScript Engine acts somewhat like a browser bug, but it’s actually more impactful. To exploit this vulnerability, an attacker could host a malicious website and convince someone to browse there – just like most browser bugs. With this bug, an attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine. These vectors make this bug more appealing than a browser bug since the attack surface is broader.
- CVE-2018-1010, -1012, -1013, -1015, -1016 - Microsoft Graphics Remote Code Execution Vulnerability
I combined these five bugs since they all share the same title and description. Those of us who lived through Duqu always shudder a bit when we see font-related bugs, and these have me downright shivering. Each of these patches covers a vulnerability in embedded fonts that could allow code execution at the logged-on user level. Since there are many ways to view fonts – web browsing, documents, attachments – it’s a broad attack surface and attractive to attackers. Given the history of malicious fonts, these patches should be high on your test and deployment list. This is also a good time to remind you to not do day-to-day tasks as an administrator.
- CVE-2018-0986 – Microsoft Malware Protection Engine Remote Code Execution VulnerabilityThis patch was actually released to little fanfare last week, but it shouldn’t be ignored. The bug itself is pretty severe as it could allow an attacker to execute code on a target system by having the engine scan a maliciously-crafted file. Of course, the malware protection engine’s job is to scan files, so it’s a likely scenario. The good news here is that most people will have no action to take as the engine contains a built-in mechanism for the automatic detection and deployment of updates. For those few who do have that odd configuration where an action is required, roll this patch out immediately. Similar to CVE-2017-11937 in December, people have referred to this as an out-of-band (OOB) release. That’s not actually the case here. Malware Protection Engine updates are not tied to Patch Tuesday. There’s no concept of an OOB release for the engine; it’s updated whenever it is needed.
Here’s the full list of CVEs released by Microsoft for April 2018.
CVE | Title | Severity | Public | Exploited | XI - Latest | XI - Older |
CVE-2018-1034 | Microsoft SharePoint Elevation of Privilege Vulnerability | Important | Yes | No | 3 | 3 |
CVE-2018-0870 | Internet Explorer Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
CVE-2018-0979 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
CVE-2018-0980 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
CVE-2018-0981 | Scripting Engine Information Disclosure Vulnerability | Critical | No | No | 1 | 1 |
CVE-2018-0986 | Microsoft Malware Protection Engine Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 |
CVE-2018-0988 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
CVE-2018-0990 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
CVE-2018-0991 | Internet Explorer Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
CVE-2018-0993 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
CVE-2018-0994 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
CVE-2018-0995 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
CVE-2018-0996 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
CVE-2018-1000 | Scripting Engine Information Disclosure Vulnerability | Critical | No | No | 1 | 1 |
CVE-2018-1004 | Windows VBScript Engine Remote Code Execution Vulnerability | Critical | No | No | 1 | 1 |
CVE-2018-1010 | Microsoft Graphics Remote Code Execution Vulnerability | Critical | No | No | 1 | 1 |
CVE-2018-1012 | Microsoft Graphics Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 |
CVE-2018-1013 | Microsoft Graphics Remote Code Execution Vulnerability | Critical | No | No | 1 | 1 |
CVE-2018-1015 | Microsoft Graphics Remote Code Execution Vulnerability | Critical | No | No | 1 | 1 |
CVE-2018-1016 | Microsoft Graphics Remote Code Execution Vulnerability | Critical | No | No | 1 | 1 |
CVE-2018-1018 | Internet Explorer Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
CVE-2018-1019 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
CVE-2018-1020 | Internet Explorer Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
CVE-2018-1022 | Microsoft Edge Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
CVE-2018-1023 | Microsoft Browser Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
CVE-2018-0887 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-0890 | Active Directory Security Feature Bypass Vulnerability | Important | No | No | N/A | 3 |
CVE-2018-0892 | Microsoft Edge Information Disclosure Vulnerability | Important | No | No | 1 | N/A |
CVE-2018-0920 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 1 | 1 |
CVE-2018-0950 | Microsoft Office Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
CVE-2018-0956 | HTTP.sys Denial of Service Vulnerability | Important | No | No | 3 | 3 |
CVE-2018-0957 | Hyper-V Information Disclosure Vulnerability | Important | No | No | N/A | 2 |
CVE-2018-0960 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-0963 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-0964 | Hyper-V Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-0966 | Device Guard Security Feature Bypass Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-0967 | Windows SNMP Service Denial of Service Vulnerability | Important | No | No | 3 | 3 |
CVE-2018-0968 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-0969 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-0970 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-0971 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
CVE-2018-0972 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-0973 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
CVE-2018-0974 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-0975 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-0976 | Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability | Important | No | No | 3 | 3 |
CVE-2018-0987 | Scripting Engine Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
CVE-2018-0989 | Scripting Engine Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
CVE-2018-0997 | Internet Explorer Memory Corruption Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-0998 | Microsoft Edge Information Disclosure Vulnerability | Important | No | No | 2 | N/A |
CVE-2018-1001 | Scripting Engine Memory Corruption Vulnerability | Important | No | No | 1 | 1 |
CVE-2018-1003 | Microsoft JET Database Engine Remote Code Execution Vulnerability | Important | No | No | 1 | 1 |
CVE-2018-1005 | Microsoft SharePoint Elevation of Privilege Vulnerability | Important | No | No | 3 | 3 |
CVE-2018-1007 | Microsoft Office Information Disclosure Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-1008 | OpenType Font Driver Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
CVE-2018-1009 | Microsoft DirectX Graphics Kernel Subsystem Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-1011 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 1 | 1 |
CVE-2018-1014 | Microsoft SharePoint Elevation of Privilege Vulnerability | Important | No | No | 3 | 3 |
CVE-2018-1026 | Microsoft Office Remote Code Execution Vulnerability | Important | No | No | 1 | 1 |
CVE-2018-1027 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 1 | 1 |
CVE-2018-1028 | Microsoft Office Graphics Remote Code Execution Vulnerability | Important | No | No | 1 | 1 |
CVE-2018-1029 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 1 | 1 |
CVE-2018-1030 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 1 | 1 |
CVE-2018-1032 | Microsoft SharePoint Elevation of Privilege Vulnerability | Important | No | No | 3 | 3 |
CVE-2018-1037 | Microsoft Visual Studio Information Disclosure Vulnerability | Important | No | No | 3 | 3 |
CVE-2018-8117 | Microsoft Wireless Keyboard 850 Security Feature Bypass Vulnerability | Important | No | No | 2 | 2 |
CVE-2018-8116 | Microsoft Graphics Component Denial of Service Vulnerability | Moderate | No | No | 3 | 3 |
Beyond what we’ve already covered, the month sees another huge grouping of browser-related fixes, many of which are rated as Critical RCE. There are 10 different Windows Kernel info disclosure vulnerabilities being addressed this month, which likely means bad news for people attempting sandbox escapes. Many Office bugs are being addressed this month, with four being for Excel and five being for the Office suite in general. These accompany four SharePoint vulnerabilities, one of which is the publicly known issue being patched this month.
Finally, Microsoft also released their version of the aforementioned Adobe patch for Flash in Internet Explorer.
Looking Ahead
The next patch Tuesday falls on May 8, and we’ll return with details and patch analysis then. Follow us on Twitter to see the latest and greatest coming from the ZDI program. Until then, happy patching and may all your reboots be smooth and clean!