Network Security, Patch/Configuration Management, Vulnerability Management

Patch Tuesday August 2018: Microsoft corrects two actively exploited zero-day bugs

Microsoft Corporation today released a series of Patch Tuesday updates, issuing fixes for 60 flaws, two of which have reportedly been actively exploited as zero-days.

Collectively, the repairs address bugs found in Internet Explorer, Microsoft Edge, Windows, Microsoft Office (and Office Services and Web Apps), ChakraCore, Adobe Flash Player, .NET Framework, Microsoft Exchange Server, Microsoft SQL Server, and Visual Studio.

The first of the two exploited flaws is CVE-2018-8373, a critical memory corruption vulnerability in Internet Explorer's scripting engine. According to a Microsoft advisory, attackers can exploit the bug to execute arbitrary code and gain the same rights as the current user. If that user has admin privileges, then the attackers could hijack the affected system and subsequently install programs, view or alter data, or create new accounts with full user rights.

"In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website," the advisory states. "An attacker could also embed an ActiveX control marked 'safe for initialization' in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability."

Trend Micro researcher Elliot Cao, who reported CVE-2018-8373 in conjunction with his company's Zero Day Initiative, said that the issue is similar to another actively exploited vulnerability that was patched last May in Microsoft's VBScript engine, Trend Micro revealed via its own blog post. "In other words, if there are similar bugs to this one, they will likely be found and exploited, too," the post asserts.

The other exploited bug, CVE-2018-8414, was designated merely as important, despite allowing remote code execution when the Windows Shell fails to properly validate file paths. Attackers who capitalize on this flaw by tricking users into opening a specially crafted file (via email or compromised/malicious website) can take control of an affected system if said user is logged on as an administrator, another Microsoft advisory warns.

Microsoft has credited Matt Nelson of SpecterOps with uncovering the exploited RCE bug.

Microsoft also issued three separate security advisories, two of which [12] address newly discovered speculative execution side-channel attack vulnerabilities in the same vein of Spectre and Meltdown.

As part of their own coverage of Patch Tuesday, McAfee today announced that it reported an elevation of privilege vulnerability (CVE-2018-8253) in the Windows Cortana virtual assistant, while Okta announced its discovery of a security feature bypass vulnerability (CVE-2018-8340) in the Active Directory Federation Services (ADFS) protocol that can allow attackers to subvert certain multi-factor authentication factors.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.