The September 2018 Security Update Review
September 11, 2018 | Dustin ChildsSeptember is upon us and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.
Adobe Patches for September 2018
Adobe begins the September patch cycle with two update for Flash and ColdFusion addressing a total of 10 CVEs. The Flash update corrects one info disclosure bug, while the ColdFusion patch fixes a mix of code execution and information disclosure bugs. There are multiple critical-rated CVEs remedied by the ColdFusion patch. If you’re using this development tool, definitely get this patch applied.
Microsoft Patches for September 2018
Microsoft released 61 security patches and two advisories covering Internet Explorer (IE), Edge, ChakraCore, Azure, Hyper-V, Windows components, .NET Framework, SQL Server, and Microsoft Office and Office Services. Of the 62 CVEs, 17 are listed as Critical, 43 are rated Important, and one is rated as Moderate in severity. A total of ten of these CVEs came through the ZDI program. Four of these bugs are listed as publicly known at the time of release and one of these is reported as being actively exploited.
Let’s take a closer look at some of the more interesting patches for this month, starting with the issue currently under active attack:
- CVE-2018-8440 – Windows ALPC Elevation of Privilege Vulnerability
This CVE was publicly disclosed via Twitter back on August 27th and was reportedly seen in malware as soon as September 5th. The bug itself allows attackers to elevate privileges and run code with administrative privileges due to an improper Advanced Local Procedure Call (ALPC). An ALPC is an internal mechanism normally restricted to Windows operating system components. A lack of permissions checking in the Spooler process allows the elevation. This bug should be on the top of everyone’s deployment list.
- CVE-2018-8475 - Windows Remote Code Execution Vulnerability
Were it not for the bug already under exploit, this publicly known bug would be at the top of the priority ranking. This CVE could allow an attacker to execute code on a target system just by convincing someone to view an image. That’s all the user interaction needed. Open the wrong image – even through a web browser – and code executes, making this a browse-and-own scenario. Microsoft provides no information on where this is public, but given the severity of the issue and the relative ease of exploitation, expect this one to find its way into exploit kits quickly.
- CVE-2018-0965, CVE-2018-8439 – Windows Hyper-V Remote Code Execution Vulnerability
These are two different CVEs, but I grouped them together as they have the same exploit scenario and impact. For both cases, a user on a guest virtual machine could execute code on the underlying hypervisor OS. The root cause for both of these bugs goes back to the failure to properly validate user input. Although titled as “remote code execution,” these bugs require an attacker to execute code on the guest OS. If an attacker (or malware) does have the ability to run programs, their code executes on the hypervisor – potentially impacting other guest OSes.
- CVE-2018-8449 – Device Guard Security Feature Bypass Vulnerability
This bug could allow an unsigned file to appear signed and therefore trusted. Since Device Guard relies on signatures to determine if a file is malicious or not, bypassing these signatures opens the door for malware. Expect this bug to show up in future exploits.
Here’s the full list of CVEs released by Microsoft for September 2018.
CVE | Title | Severity | Public | Exploited | XI - Latest | XI - Older | Type |
CVE-2018-8440 | Windows ALPC Elevation of Privilege Vulnerability | Important | Yes | Yes | 1 | 1 | EoP |
CVE-2018-8475 | Windows Remote Code Execution Vulnerability | Critical | Yes | No | 1 | 1 | RCE |
CVE-2018-8457 | Scripting Engine Memory Corruption Vulnerability | Critical | Yes | No | 1 | N/A | RCE |
CVE-2018-8409 | ASP.NET Core Denial of Service | Important | Yes | No | 2 | 2 | DoS |
CVE-2018-0965 | Windows Hyper-V Remote Code Execution Vulnerability | Critical | No | No | N/A | 2 | RCE |
CVE-2018-8367 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
CVE-2018-8420 | MS XML Remote Code Execution Vulnerability | Critical | No | No | 1 | 1 | RCE |
CVE-2018-8461 | Internet Explorer Memory Corruption Vulnerability | Critical | No | No | 1 | 1 | RCE |
CVE-2018-8332 | Win32k Graphics Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2018-8391 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
CVE-2018-8421 | .NET Framework Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2018-8439 | Windows Hyper-V Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2018-8447 | Internet Explorer Memory Corruption Vulnerability | Critical | No | No | 1 | 1 | RCE |
CVE-2018-8456 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
CVE-2018-8459 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
CVE-2018-8464 | Microsoft Edge PDF Remote Code Execution Vulnerability | Critical | No | No | 1 | N/A | RCE |
CVE-2018-8465 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
CVE-2018-8466 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
CVE-2018-8467 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
CVE-2018-8479 | Azure IoT SDK Spoofing Vulnerability | Important | No | No | N/A | N/A | Spoof |
CVE-2018-8269 | Odata Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2018-8335 | Windows SMB Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2018-8436 | Windows Hyper-V Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2018-8437 | Windows Hyper-V Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2018-8438 | Windows Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2018-8410 | Windows Registry Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2018-8462 | DirectX Graphics Kernel Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2018-8428 | Microsoft SharePoint Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2018-8431 | Microsoft SharePoint Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2018-8441 | Windows Subsystem for Linux Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2018-8455 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2018-8463 | Microsoft Edge Elevation of Privilege Vulnerability | Important | No | No | 1 | N/A | EoP |
CVE-2018-8468 | Windows Elevation of Privilege Vulnerability | Important | No | No | 1 | N/A | EoP |
CVE-2018-8469 | Microsoft Edge Elevation of Privilege Vulnerability | Important | No | No | 1 | N/A | EoP |
CVE-2018-8271 | Windows Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2018-8315 | Microsoft Scripting Engine Information Disclosure Vulnerability | Important | No | No | 2 | N/A | Info |
CVE-2018-8336 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | N/A | 2 | Info |
CVE-2018-8419 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2018-8424 | Windows GDI Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2018-8433 | Microsoft Graphics Component Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2018-8429 | Microsoft Excel Information Disclosure Vulnerability | Important | No | No | 2 | N/A | Info |
CVE-2018-8434 | Windows Hyper-V Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2018-8442 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 1 | 1 | Info |
CVE-2018-8443 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2018-8444 | Windows SMB Information Disclosure Vulnerability | Important | No | No | N/A | 2 | Info |
CVE-2018-8445 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2018-8446 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2018-8452 | Scripting Engine Information Disclosure Vulnerability | Important | No | No | 1 | N/A | Info |
CVE-2018-8354 | Scripting Engine Memory Corruption Vulnerability | Important | No | No | 1 | N/A | RCE |
CVE-2018-8366 | Microsoft Edge Information Disclosure Vulnerability | Important | No | No | 1 | N/A | RCE |
CVE-2018-8392 | Microsoft JET Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2018-8393 | Microsoft JET Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2018-8430 | Word PDF Remote Code Execution Vulnerability | Important | No | No | 1 | 1 | RCE |
CVE-2018-8331 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 1 | N/A | RCE |
CVE-2018-8337 | Windows Subsystem for Linux Security Feature Bypass Vulnerability | Important | No | No | 2 | 2 | SFB |
CVE-2018-8435 | Windows Hyper-V Security Feature Bypass Vulnerability | Important | No | No | 2 | 2 | SFB |
CVE-2018-8449 | Device Guard Security Feature Bypass Vulnerability | Important | No | No | 1 | 1 | SFB |
CVE-2018-8470 | Internet Explorer Security Feature Bypass Vulnerability | Important | No | No | 1 | 1 | SFB |
CVE-2018-8425 | Microsoft Edge Spoofing Vulnerability | Important | No | No | 1 | N/A | Spoof |
CVE-2018-8426 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
CVE-2018-8474 | Lync for Mac 2011 Security Feature Bypass Vulnerability | Moderate | No | No | N/A | 2 | SFB |
Browser bugs again feature prominently in this month’s release with 19 patches for browser-related issues. While use after free (UAF) bugs in browsers is on the decline, researcher focus on browser certainly isn’t as JIT bugs become the new UAF. There’s also a critical-rated bug in MS-XML that could allow a browse-and-own scenario and functionally acts like a browser bug. Developers need to take notice, as several patches impact developer tools. A denial of service bug in ASP.NET Core is listed as publicly known, and a bug in the .NET Framework could allow an RCE to occur. There’s also two patches for the Windows Subsystem for Linux.
Several Windows components receive patches this month, including new fixes for embedded fonts. In addition to the bugs highlighted above, Hyper-V five other fixes for DoS, info disclosure, and security feature bypass issues. Multiple patches cover various graphics components, and the kernel receives its now monthly group of fixes. Several Office components also receive fixes, with the majority of these focused around Excel.
Information disclosure bugs are highlighted this month with 14 being addressed across various components. On their own, these don’t cause much of a problem, but they’re often combined with other vulnerabilities to make them reliable. These go along with the five patches addressing security feature bypasses. In a sense, these fixes can be viewed as asymmetric since their impact goes beyond just these individual code changes. Changes that make exploitation more difficult are always welcome. The September release is rounded out by a moderate-severity security feature bypass in Lync for Mac 2011. Surprisingly, this venerable instant messenger is still available for download.
There are two advisories to cover this month as well. The first offers workarounds for the “FragmentSmack” DoS (CVE-2018-5391). This was initially discovered in the Linux kernel TCP/IP implementation, but it clearly affects Windows as well. The advisory recommends dropping out-of-order packets with perimeter devices until a full fix is available from Microsoft.
The other advisory covers the Microsoft version of the aforementioned Adobe patch for Flash in Internet Explorer.
Looking Ahead
The next patch Tuesday falls on October 9, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!