The March 2018 Security Update Review

March 13, 2018 | Dustin Childs

Tomorrow in Vancouver, Pwn2Own returns and sees some of the best researchers in the world attempt to take down the latest offerings from the largest vendors. Today, Adobe and Microsoft released the final patches prior to the contest. Let’s take a closer look at these updates (and hope they don’t disrupt Pwn2Own contestants too much).

Adobe Patches for March 2018

So far, Adobe has released only one update for March, and that's a patch for Flash correcting two Critical-rated CVEs. Neither of these bugs are listed as being under active attack. I say "so far," because it appears Adobe is still working on some additional patches. As of publication time, they haven't updated their bulletin summary page, which could indicate more patches are coming. If they do release more patches, we'll update this blog to reflect the changes.

UPDATE: Adobe has released two additional patches. The first patch corrects two Important-rated issues in Adobe Connect. This resolves a command injection bug and an unrestricted file upload vulnerability. The other update corrects only a single bug in Adobe Dreamweaver. This is also a command injection vulnerability. None of these bugs were reported as being public or under active attack. The five CVEs addressed by Adobe for March are definitely a stark contrast to the large update from Microsoft.

Microsoft Patches for March 2018

Microsoft released a whopping 75 security patches for March covering Internet Explorer (IE), Edge, ChakraCore, Microsoft Windows, Microsoft Office, and ASP.NET Core. Of these 75 CVEs, 14 are listed as Critical and 61 are rated Important in severity. Six of these CVEs came through the ZDI program. Two of these bugs are listed as being publicly known, but none are listed as being under active attack.

Let’s take a closer look at some of the more interesting patches for this month.

-          CVE-2018-0886 – CredSSP Remote Code Execution Vulnerability
This patch corrects a truly fascinating bug. For those not familiar with the component, the Credential Security Support Provider protocol (CredSSP) lets an app delegate a user’s credentials from the client to the target server for remote authentication. It’s important to understand this is not a constrained delegation. CredSSP passes the user's full credentials to the server without any constraint. That’s a key to how an attacker would exploit the bug. For example, with a Remote Desktop Protocol (RDP) session, an attacker could perform a man-in-the-middle attack to essentially take control of the session. It’s also important to note that simply applying the patch isn’t sufficient to be fully protected. Sysadmins must also enable Group Policy settings on their systems and update their Remote Desktop clients. While these settings are disabled by default, Microsoft does provide instructions to enable them. Of course, another alternative is to completely disable RDP, but since many enterprises rely on this service, that may not be a practical solution.

-          CVE-2018-0940 – Microsoft Exchange Elevation of Privilege Vulnerability
Another of the publicly known bugs for March involves an elevation of privilege vulnerability within Exchange Outlook Web Access (OWA). This patch corrects a bug in OWA that fails to properly sanitize links presented to users. An attacker could use this vulnerability to replace a legitimate OWA interface with a fake login page. Once at the page, the user would be enticed to enter their real credentials. However, based on the advisory, the attack requires a user to click the malicious link in order to be susceptible. Still, this is the sort of bug used in spear-phishing attacks.

-          CVE-2018-0868 – Windows Installer Elevation of Privilege Vulnerability
This bug in the Windows Installer could allow an elevation of privilege due to the improper sanitization of input. The multiple logic bugs could result in code execution with elevated privileges. At first glance, this doesn’t seem very crucial since an attacker would need the ability to run programs on a target system to exploit this vulnerability. However, this type of bug is often used by malware authors to “piggyback” their malicious code on top of innocuous code. It’s always easier to convince someone to install ‘GreatNewGame.exe’ instead of ‘EvilMalware.exe.’

Here’s the full list of CVEs released by Microsoft for March 2018.

CVE Title Severity Public Exploited XI - Latest XI - Older
CVE-2018-0808 ASP.NET Core Denial Of Service Vulnerability Important Yes No 3 3
CVE-2018-0940 Microsoft Exchange Elevation of Privilege Vulnerability Important Yes No 3 3
CVE-2018-0930 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-0931 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-0933 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-0934 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-0936 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-0937 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-0872 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-0874 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-0932 Microsoft Browser Information Disclosure Vulnerability Critical No No 1 N/A
CVE-2018-0939 Scripting Engine Information Disclosure Vulnerability Critical No No 1 N/A
CVE-2018-0889 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1
CVE-2018-0893 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-0876 Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A
CVE-2018-0925 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-0875 ASP.NET Core Denial of Service Vulnerability Important No No 2 2
CVE-2018-0787 ASP.NET Core Elevation Of Privilege Vulnerability Important No No 2 2
CVE-2018-0873 Chakra Scripting Engine Memory Corruption Vulnerability Important No No 1 N/A
CVE-2018-0902 CNG Security Feature Bypass Vulnerability Important No No 2 2
CVE-2018-0886 CredSSP Remote Code Execution Vulnerability Important No No 2 2
CVE-2018-0888 Hyper-V Information Disclosure Vulnerability Important No No 2 2
CVE-2018-0942 Internet Explorer Elevation of Privilege Vulnerability Important No No 1 1
CVE-2018-0929 Internet Explorer Information Disclosure Vulnerability Important No No 1 1
CVE-2018-0903 Microsoft Access Remote Code Execution Vulnerability Important No No 2 2
CVE-2018-0908 Microsoft Identity Manager XSS Elevation of Privilege Vulnerability Important No No 3 4
CVE-2018-0891 Microsoft Browser Information Disclosure Vulnerability Important No No 1 1
CVE-2018-0927 Microsoft Browser Information Disclosure Vulnerability Important No No 1 1
CVE-2018-0879 Microsoft Edge Information Disclosure Vulnerability Important No No 1 N/A
CVE-2018-0924 Microsoft Exchange Information Disclosure Vulnerability Important No No 3 3
CVE-2018-0941 Microsoft Exchange Information Disclosure Vulnerability Important No No 3 3
CVE-2018-0907 Microsoft Office Excel Security Feature Bypass Important No No 1 1
CVE-2018-0919 Microsoft Office Information Disclosure Vulnerability Important No No 1 1
CVE-2018-0922 Microsoft Office Memory Corruption Vulnerability Important No No N/A 2
CVE-2018-0947 Microsoft Sharepoint Elevation of Privilege Vulnerability Important No No 2 2
CVE-2018-0909 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 2
CVE-2018-0910 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 2
CVE-2018-0911 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 2
CVE-2018-0912 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 2
CVE-2018-0913 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 2
CVE-2018-0914 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 2
CVE-2018-0915 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 2
CVE-2018-0916 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 2
CVE-2018-0917 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 N/A
CVE-2018-0921 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 N/A
CVE-2018-0923 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 2
CVE-2018-0944 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 2
CVE-2018-0881 Microsoft Video Control Elevation of Privilege Vulnerability Important No No 2 2
CVE-2018-0935 Scripting Engine Memory Corruption Vulnerability Important No No 1 1
CVE-2018-0880 Windows Desktop Bridge Elevation of Privilege Vulnerability Important No No 2 2
CVE-2018-0882 Windows Desktop Bridge Elevation of Privilege Vulnerability Important No No N/A 2
CVE-2018-0877 Windows Desktop Bridge VFS Elevation of Privilege Vulnerability Important No No 2 2
CVE-2018-0816 Windows GDI Elevation of Privilege Vulnerability Important No No N/A 1
CVE-2018-0817 Windows GDI Elevation of Privilege Vulnerability Important No No 1 1
CVE-2018-0815 Windows GDI Elevation of Privilege Vulnerability Important No No N/A 1
CVE-2018-0885 Windows Hyper-V Denial of Service Vulnerability Important No No 2 2
CVE-2018-0868 Windows Installer Elevation of Privilege Vulnerability Important No No 2 2
CVE-2018-0811 Windows Kernel Information Disclosure Vulnerability Important No No 1 1
CVE-2018-0894 Windows Kernel Information Disclosure Vulnerability Important No No 1 1
CVE-2018-0895 Windows Kernel Information Disclosure Vulnerability Important No No 1 1
CVE-2018-0896 Windows Kernel Information Disclosure Vulnerability Important No No 1 1
CVE-2018-0897 Windows Kernel Information Disclosure Vulnerability Important No No 1 1
CVE-2018-0898 Windows Kernel Information Disclosure Vulnerability Important No No 1 1
CVE-2018-0899 Windows Kernel Information Disclosure Vulnerability Important No No 1 1
CVE-2018-0900 Windows Kernel Information Disclosure Vulnerability Important No No 1 1
CVE-2018-0901 Windows Kernel Information Disclosure Vulnerability Important No No 1 1
CVE-2018-0926 Windows Kernel Information Disclosure Vulnerability Important No No 1 1
CVE-2018-0813 Windows Kernel Information Disclosure Vulnerability Important No No 1 1
CVE-2018-0814 Windows Kernel Information Disclosure Vulnerability Important No No 1 1
CVE-2018-0904 Windows Kernel Information Disclosure Vulnerability Important No No 1 1
CVE-2018-0977 Windows Kernel Elevation of Privilege Vulnerability Important No No 1 1
CVE-2018-0983 Windows Storage Services Elevation of Privilege Vulnerability Important No No 1 1
CVE-2018-0878 Windows Remote Assistance Information Disclosure Vulnerability Important No No 2 2
CVE-2018-0884 Windows Security Feature Bypass Vulnerability Important No No 2 2
CVE-2018-0883 Windows Shell Remote Code Execution Vulnerability Important No No 1 1

Beyond what we’ve already covered, this month sees a whopping 21 browser-related fixes, 14 of which are rated Critical. It’s not surprising to see a rush of browser fixes released immediately prior to Pwn2Own, as browsers are a frequently targeted platform during the contest. There were also 14 kernel-related bug fixes released, which will definitely make the sandbox escapes seen in Pwn2Own more difficult. For contestants, testing their exploits on Tuesday night prior to the contest is always a nerve-racking time, as all targets in the contest will be fully patched.

This month also sees a plethora of Office-related bug fixes, including 13 for SharePoint alone. All of these involve bugs with input sanitization that could allow cross-site scripting (XSS) attacks. This month also sees multiple Exchange patches, which always tend to make sysadmins nervous. The March release is rounded out by patches for ASP.NET and Windows OS components. Folks with ASP.NET Core applications should definitely take note since some of these bugs could cause those apps to crash.

Finally, Microsoft also released their version of the aforementioned Adobe patch for Flash in Internet Explorer.

Looking Ahead

The next patch Tuesday falls on April 10, and we’ll return with details and patch analysis then. Follow us on Twitter and keep an eye on this blog to see all of the results from Pwn2Own. Until then, happy patching and may all your reboots be smooth and clean!