Microsoft Corporation today released a series of Patch Tuesday updates, issuing fixes for 60 flaws, two of which have reportedly been actively exploited as zero-days.
Collectively, the repairs address bugs found in Internet Explorer, Microsoft Edge, Windows, Microsoft Office (and Office Services and Web Apps), ChakraCore, Adobe Flash Player, .NET Framework, Microsoft Exchange Server, Microsoft SQL Server, and Visual Studio.
The first of the two exploited flaws is CVE-2018-8373, a critical memory corruption vulnerability in Internet Explorer’s scripting engine. According to a Microsoft advisory, attackers can exploit the bug to execute arbitrary code and gain the same rights as the current user. If that user has admin privileges, then the attackers could hijack the affected system and subsequently install programs, view or alter data, or create new accounts with full user rights.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website,” the advisory states. “An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”
Trend Micro researcher Elliot Cao, who reported CVE-2018-8373 in conjunction with his company’s Zero Day Initiative, said that the issue is similar to another actively exploited vulnerability that was patched last May in Microsoft’s VBScript engine, Trend Micro revealed via its own blog post. “In other words, if there are similar bugs to this one, they will likely be found and exploited, too,” the post asserts.
The other exploited bug, CVE-2018-8414, was designated merely as important, despite allowing remote code execution when the Windows Shell fails to properly validate file paths. Attackers who capitalize on this flaw by tricking users into opening a specially crafted file (via email or compromised/malicious website) can take control of an affected system if said user is logged on as an administrator, another Microsoft advisory warns.
Microsoft has credited Matt Nelson of SpecterOps with uncovering the exploited RCE bug.
Microsoft also issued three separate security advisories, two of which [1, 2] address newly discovered speculative execution side-channel attack vulnerabilities in the same vein of Spectre and Meltdown.
As part of their own coverage of Patch Tuesday, McAfee today announced that it reported an elevation of privilege vulnerability (CVE-2018-8253) in the Windows Cortana virtual assistant, while Okta announced its discovery of a security feature bypass vulnerability (CVE-2018-8340) in the Active Directory Federation Services (ADFS) protocol that can allow attackers to subvert certain multi-factor authentication factors.