The April 2018 Security Update Review

April 10, 2018 | Dustin Childs

April is here, and with it comes the latest security patches from Adobe, Apple and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for April’s security updates.

Adobe Patches for April 2018

For April 2018, Adobe released updates for five products covering a total of 14 CVEs. The most significant of these releases is the update for Adobe Flash, which addresses three Critical- and three Important-rated CVEs. The Critical bugs include a couple of Out-of-Bounds (OOB) writes and a Use-After-Free that could allow remote code execution. At six CVEs, this is one of the larger Flash patches in a few months. Another significant patch from Adobe this month covers two CVEs in InDesign, one of which is a Critical-rated arbitrary code execution bug. These two patches should be at the top of your Adobe test and deployment schedule for April.

In addition to those already mentioned, there are two Important-rated info disclosure bugs fixed in Adobe Digital Editions. Another patch covers two Important- and one Moderate-rated info disclosure bugs in Experience Manager. The final patch from Adobe this month covers a bug in the Adobe PhoneGap Push Plugin. The patch corrects a Same-Origin Method Execution (SOME) bug that could be used to trick users of PhoneGap apps into executing click events and other unintended user interactions. It should be noted this is a not a patch-and-forget situation. As described in the bulletin, “After updating to the latest version of the plugin, application authors should recompile any apps built with PhoneGap using the new plugin.” That also means the recompiled apps will need to be pushed out to users as well.

Update: After the initial publication of this blog, Adobe also released a patch for Cold Fusion addressing five CVEs. The most severe of these could allow for remote code execution and are rated Critical. Don't miss this one if you have Cold Fusion in your environment.

Apple Patches for April 2018

Apple released their most recent updates on March 29 by addressing a total of 66 different CVEs across iOS, watchOS, tvOS, Xcode, iTunes, macOS, iCloud and Safari. Nine of these CVEs came through the ZDI program, including five Webkit JIT-related bugs from our own Jasiel Spelman (@WanderingGlitch). Since Apple CVEs are often shared between components, we have created this graphic to show which bugs are shared between components. Several kernel bugs are included in these updates and cover both info disclosure and elevation of privilege vulnerabilities. You’ll also see a few of these bugs credited to Pwn2Own winner Samuel Groß (@5aelo). However, none of these fixes relate to bugs disclosed at the contest.

Microsoft Patches for April 2018

Microsoft released 67 security patches for April covering Internet Explorer (IE), Edge, ChakraCore, Windows, Visual Studio, Microsoft Office and Office Services and Web Apps, and the Malware Protection Engine. Of these 67 CVEs, 24 are listed as Critical, 42 are rated Important, and one is listed as Moderate in severity. Seven of these CVEs came through the ZDI program. Only one of these bugs is listed as being publicly known, and none are listed as being under active attack.

Let’s take a closer look at some of the more interesting patches for this month.

-       CVE-2018-8117 – Microsoft Wireless Keyboard 850 Security Feature Bypass Vulnerability
Patches for hardware are rare, and patches for keyboards are especially rare, so it was somewhat shocking to see this bug detailed. However, the severity of this bug should not be scoffed at. This vulnerability could affect you in two ways. First, an attacker could read your keystrokes – effectively turning your keyboard into a keystroke logger. Everything you type – passwords, account details, emails – could be viewed. The other result of this bug could allow an attacker to inject keystrokes to an affected system. All of this is due to the attacker being able to reuse an AES encryption key. Fortunately, to exploit this, the attacker must extract the AES encryption key from the affected keyboard – not a trivial task. Still, it’s a fascinating bug. If you have this keyboard, do not miss applying this patch.

-       CVE-2018-1004 – Windows VBScript Engine Remote Code Execution Vulnerability
This Critical-rated bug for the VBScript Engine acts somewhat like a browser bug, but it’s actually more impactful. To exploit this vulnerability, an attacker could host a malicious website and convince someone to browse there – just like most browser bugs. With this bug, an attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine. These vectors make this bug more appealing than a browser bug since the attack surface is broader.

-       CVE-2018-1010, -1012, -1013, -1015, -1016 - Microsoft Graphics Remote Code Execution Vulnerability
I combined these five bugs since they all share the same title and description. Those of us who lived through Duqu always shudder a bit when we see font-related bugs, and these have me downright shivering. Each of these patches covers a vulnerability in embedded fonts that could allow code execution at the logged-on user level. Since there are many ways to view fonts – web browsing, documents, attachments – it’s a broad attack surface and attractive to attackers. Given the history of malicious fonts, these patches should be high on your test and deployment list. This is also a good time to remind you to not do day-to-day tasks as an administrator.

-       CVE-2018-0986 – Microsoft Malware Protection Engine Remote Code Execution VulnerabilityThis patch was actually released to little fanfare last week, but it shouldn’t be ignored. The bug itself is pretty severe as it could allow an attacker to execute code on a target system by having the engine scan a maliciously-crafted file. Of course, the malware protection engine’s job is to scan files, so it’s a likely scenario. The good news here is that most people will have no action to take as the engine contains a built-in mechanism for the automatic detection and deployment of updates. For those few who do have that odd configuration where an action is required, roll this patch out immediately. Similar to CVE-2017-11937 in December, people have referred to this as an out-of-band (OOB) release. That’s not actually the case here. Malware Protection Engine updates are not tied to Patch Tuesday. There’s no concept of an OOB release for the engine; it’s updated whenever it is needed. 

Here’s the full list of CVEs released by Microsoft for April 2018.

CVE Title Severity Public Exploited XI - Latest XI - Older
CVE-2018-1034 Microsoft SharePoint Elevation of Privilege Vulnerability Important Yes No 3 3
CVE-2018-0870 Internet Explorer Memory Corruption Vulnerability Critical No No 1 1
CVE-2018-0979 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-0980 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-0981 Scripting Engine Information Disclosure Vulnerability Critical No No 1 1
CVE-2018-0986 Microsoft Malware Protection Engine Remote Code Execution Vulnerability Critical No No 2 2
CVE-2018-0988 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1
CVE-2018-0990 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-0991 Internet Explorer Memory Corruption Vulnerability Critical No No 1 1
CVE-2018-0993 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-0994 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-0995 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-0996 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1
CVE-2018-1000 Scripting Engine Information Disclosure Vulnerability Critical No No 1 1
CVE-2018-1004 Windows VBScript Engine Remote Code Execution Vulnerability Critical No No 1 1
CVE-2018-1010 Microsoft Graphics Remote Code Execution Vulnerability Critical No No 1 1
CVE-2018-1012 Microsoft Graphics Remote Code Execution Vulnerability Critical No No 2 2
CVE-2018-1013 Microsoft Graphics Remote Code Execution Vulnerability Critical No No 1 1
CVE-2018-1015 Microsoft Graphics Remote Code Execution Vulnerability Critical No No 1 1
CVE-2018-1016 Microsoft Graphics Remote Code Execution Vulnerability Critical No No 1 1
CVE-2018-1018 Internet Explorer Memory Corruption Vulnerability Critical No No 1 1
CVE-2018-1019 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-1020 Internet Explorer Memory Corruption Vulnerability Critical No No 1 1
CVE-2018-1022 Microsoft Edge Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-1023 Microsoft Browser Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-0887 Windows Kernel Information Disclosure Vulnerability Important No No 2 2
CVE-2018-0890 Active Directory Security Feature Bypass Vulnerability Important No No N/A 3
CVE-2018-0892 Microsoft Edge Information Disclosure Vulnerability Important No No 1 N/A
CVE-2018-0920 Microsoft Excel Remote Code Execution Vulnerability Important No No 1 1
CVE-2018-0950 Microsoft Office Information Disclosure Vulnerability Important No No 1 1
CVE-2018-0956 HTTP.sys Denial of Service Vulnerability Important No No 3 3
CVE-2018-0957 Hyper-V Information Disclosure Vulnerability Important No No N/A 2
CVE-2018-0960 Windows Kernel Information Disclosure Vulnerability Important No No 2 2
CVE-2018-0963 Windows Kernel Elevation of Privilege Vulnerability Important No No 2 2
CVE-2018-0964 Hyper-V Information Disclosure Vulnerability Important No No 2 2
CVE-2018-0966 Device Guard Security Feature Bypass Vulnerability Important No No 2 2
CVE-2018-0967 Windows SNMP Service Denial of Service Vulnerability Important No No 3 3
CVE-2018-0968 Windows Kernel Information Disclosure Vulnerability Important No No 2 2
CVE-2018-0969 Windows Kernel Information Disclosure Vulnerability Important No No 2 2
CVE-2018-0970 Windows Kernel Information Disclosure Vulnerability Important No No 2 2
CVE-2018-0971 Windows Kernel Information Disclosure Vulnerability Important No No 1 1
CVE-2018-0972 Windows Kernel Information Disclosure Vulnerability Important No No 2 2
CVE-2018-0973 Windows Kernel Information Disclosure Vulnerability Important No No 1 1
CVE-2018-0974 Windows Kernel Information Disclosure Vulnerability Important No No 2 2
CVE-2018-0975 Windows Kernel Information Disclosure Vulnerability Important No No 2 2
CVE-2018-0976 Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability Important No No 3 3
CVE-2018-0987 Scripting Engine Information Disclosure Vulnerability Important No No 1 1
CVE-2018-0989 Scripting Engine Information Disclosure Vulnerability Important No No 1 1
CVE-2018-0997 Internet Explorer Memory Corruption Vulnerability Important No No 2 2
CVE-2018-0998 Microsoft Edge Information Disclosure Vulnerability Important No No 2 N/A
CVE-2018-1001 Scripting Engine Memory Corruption Vulnerability Important No No 1 1
CVE-2018-1003 Microsoft JET Database Engine Remote Code Execution Vulnerability Important No No 1 1
CVE-2018-1005 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 3 3
CVE-2018-1007 Microsoft Office Information Disclosure Vulnerability Important No No 2 2
CVE-2018-1008 OpenType Font Driver Elevation of Privilege Vulnerability Important No No 1 1
CVE-2018-1009 Microsoft DirectX Graphics Kernel Subsystem Elevation of Privilege Vulnerability Important No No 2 2
CVE-2018-1011 Microsoft Excel Remote Code Execution Vulnerability Important No No 1 1
CVE-2018-1014 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 3 3
CVE-2018-1026 Microsoft Office Remote Code Execution Vulnerability Important No No 1 1
CVE-2018-1027 Microsoft Excel Remote Code Execution Vulnerability Important No No 1 1
CVE-2018-1028 Microsoft Office Graphics Remote Code Execution Vulnerability Important No No 1 1
CVE-2018-1029 Microsoft Excel Remote Code Execution Vulnerability Important No No 1 1
CVE-2018-1030 Microsoft Excel Remote Code Execution Vulnerability Important No No 1 1
CVE-2018-1032 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 3 3
CVE-2018-1037 Microsoft Visual Studio Information Disclosure Vulnerability Important No No 3 3
CVE-2018-8117 Microsoft Wireless Keyboard 850 Security Feature Bypass Vulnerability Important No No 2 2
CVE-2018-8116 Microsoft Graphics Component Denial of Service Vulnerability Moderate No No 3 3

Beyond what we’ve already covered, the month sees another huge grouping of browser-related fixes, many of which are rated as Critical RCE. There are 10 different Windows Kernel info disclosure vulnerabilities being addressed this month, which likely means bad news for people attempting sandbox escapes. Many Office bugs are being addressed this month, with four being for Excel and five being for the Office suite in general. These accompany four SharePoint vulnerabilities, one of which is the publicly known issue being patched this month.

Finally, Microsoft also released their version of the aforementioned Adobe patch for Flash in Internet Explorer.

Looking Ahead

The next patch Tuesday falls on May 8, and we’ll return with details and patch analysis then. Follow us on Twitter to see the latest and greatest coming from the ZDI program. Until then, happy patching and may all your reboots be smooth and clean!