The May 2018 Security Update Review

May 08, 2018 | Dustin Childs


May has arrived and brought with it the latest patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for May’s security updates.

Adobe Patches for May 2018

For May, Adobe released three patches addressing a total of five CVEs in Adobe Flash, Adobe Connect, and the Adobe Creative Cloud Desktop Application. Base on install base alone, the Adobe Flash update should be the highest priority. The lone CVE fixed by this patch could allow remote code execution through a type confusion bug. The Creative Cloud patch fixes one Critical- and two Important-rated bugs. For this bulletin, direct code execution is not possible. Instead, Adobe corrects a security bypass and two privilege escalations. The final patch for Adobe Connect corrects an Important-severity information disclosure. None of these bugs are listed as being under active attack or publicly known at the time of release.

Microsoft Patches for May 2018

Microsoft released 68 security patches for May covering Internet Explorer (IE), Edge, ChakraCore, Hyper-V Server, Windows, Visual Studio, Microsoft Office and Office Services and Web Apps, and the Azure IoT SDK. Of these 68 CVEs, 21 are listed as Critical, 45 are rated Important, and two listed as Low in severity. Eleven of these CVEs came through the ZDI program. Two of these bugs are listed as being under active attack, and two more are listed as publicly known at the time of release.

Let’s take a closer look at some of the more interesting patches for this month, starting with the bugs currently being exploited publicly.

CVE-2018-8174 – Windows VBScript Engine Remote Code Execution Vulnerability
Priority for this month has to be given to the two bugs under active attack, and this is clearly the more severe of those two. This vulnerability resides in the VBScript Engine, but the attack scenario is similar to browser bugs. A user need only to visit a malicious website to have attacker-control code execute on their machine. This bug is also strikingly similar to CVE-2018-1004, which was patched last month after being submitted to the ZDI program. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine. In my blog last month, I stated, “These vectors make this bug more appealing than a browser bug since the attack surface is broader.” With active attacks currently circulating in a similar bug, I hope I didn’t give anyone ideas.

CVE-2018-8120 – Win32k Elevation of Privilege Vulnerability This is the second bug listed as under attack for this month. It has been reported that this vulnerability is actively being used by malware, although it’s not clear how widespread that malware actually is. The bug itself is just one of seven Kernel EoPs being patched this month. Any of these bugs are targets malware authors could use in future attacks.

CVE-2018-0959 – Hyper-V Remote Code Execution Vulnerability
CVE-2018-0961 – Hyper-V vSMB Remote Code Execution Vulnerability

I combined these two patches since they share the same attack scenario and result. While the root cause for these bugs are different, both could allow an attacker on a guest OS to elevate privileges and execute their code on the underlying hypervisor OS just by running a specially crafted program from the guest OS. It’s too bad neither of these bugs made an appearance at this year’s Pwn2Own, where a successful demonstration could have earned $150,000. Of the two, CVE-2019-0961 seems more interesting due to the vSMB vector used. It will be interesting to see if more research develops in this area.

CVE-2018-8119 – Azure IoT SDK Spoofing Vulnerability
The security patch process of IoT devices has been questioned during the unstoppable spread of IoT devices around the world. This patch doesn’t provide all the answers, but it is interesting to see. The vulnerability here requires an attacker to be in a position to intercept communications between a provisioning server and an IoT device. If they can get to this man-in-the-middle (MitM) position, an attacker could impersonate a server used during the provisioning process to disclose sensitive data from the IoT devices connected to that server. It’s not the most exciting of vulnerabilities, but it does show the beginnings of patch management of IoT systems. Now if we could just figure out how to automatically update a thermostat or refrigerator, we’ll be all set.

Here’s the full list of CVEs released by Microsoft for May 2018.

CVE Title Severity Public Exploited XI - Latest XI - Older
CVE-2018-8174 Windows VBScript Engine Remote Code Execution Vulnerability Critical No Yes 0 0
CVE-2018-8120 Win32k Elevation of Privilege Vulnerability Important No Yes N/A 0
CVE-2018-8170 Windows Image Elevation of Privilege Vulnerability Important Yes No 1 1
CVE-2018-8141 Windows Kernel Information Disclosure Vulnerability Important Yes No N/A 2
CVE-2018-8115 Windows Host Compute Service Shim Remote Code Execution Vulnerability Critical No No 3 3
CVE-2018-0943 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-0945 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-0946 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-0951 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-0953 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-0954 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1
CVE-2018-0955 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1
CVE-2018-0959 Hyper-V Remote Code Execution Vulnerability Critical No No 2 2
CVE-2018-0961 Hyper-V vSMB Remote Code Execution Vulnerability Critical No No 2 2
CVE-2018-1022 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1
CVE-2018-8114 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1
CVE-2018-8122 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1
CVE-2018-8128 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-8130 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-8133 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-8137 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-8139 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-8177 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A
CVE-2018-8178 Microsoft Browser Memory Corruption Vulnerability Critical No No 1 N/A
CVE-2018-8142 Windows Security Feature Bypass Vulnerability Important No No 3 N/A
CVE-2018-0765 .NET and .NET Core Denial Of Service Vulnerability Important No No 3 3
CVE-2018-0824 Microsoft COM for Windows Remote Code Execution Vulnerability Important No No 2 2
CVE-2018-0854 Windows Security Feature Bypass Vulnerability Important No No 3 3
CVE-2018-0958 Windows Security Feature Bypass Vulnerability Important No No 2 2
CVE-2018-1021 Microsoft Edge Information Disclosure Vulnerability Important No No 1 N/A
CVE-2018-1025 Microsoft Browser Information Disclosure Vulnerability Important No No 1 1
CVE-2018-1039 .NET Framework Device Guard Security Feature Bypass Vulnerability Important No No 2 2
CVE-2018-8112 Microsoft Edge Security Feature Bypass Vulnerability Important No No 1 N/A
CVE-2018-8119 Azure IoT SDK Spoofing Vulnerability Important No No 3 N/A
CVE-2018-8123 Microsoft Edge Memory Corruption Vulnerability Important No No 1 N/A
CVE-2018-8124 Win32k Elevation of Privilege Vulnerability Important No No 1 1
CVE-2018-8126 Internet Explorer Security Feature Bypass Vulnerability Important No No 2 2
CVE-2018-8127 Windows Kernel Information Disclosure Vulnerability Important No No 1 1
CVE-2018-8129 Windows Security Feature Bypass Vulnerability Important No No 2 2
CVE-2018-8132 Windows Security Feature Bypass Vulnerability Important No No 2 2
CVE-2018-8134 Windows Elevation of Privilege Vulnerability Important No No 1 1
CVE-2018-8145 Chakra Scripting Engine Memory Corruption Vulnerability Important No No 3 N/A
CVE-2018-8147 Microsoft Excel Remote Code Execution Vulnerability Important No No 1 1
CVE-2018-8148 Microsoft Excel Remote Code Execution Vulnerability Important No No 1 1
CVE-2018-8149 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 2
CVE-2018-8150 Microsoft Outlook Security Feature Bypass Vulnerability Important No No 2 2
CVE-2018-8151 Microsoft Exchange Memory Corruption Vulnerability Important No No 2 2
CVE-2018-8152 Microsoft Exchange Server Elevation of Privilege Vulnerability Important No No 2 2
CVE-2018-8154 Microsoft Exchange Memory Corruption Vulnerability Important No No 2 2
CVE-2018-8155 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 2
CVE-2018-8156 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 2
CVE-2018-8157 Microsoft Office Remote Code Execution Vulnerability Important No No 1 1
CVE-2018-8158 Microsoft Office Remote Code Execution Vulnerability Important No No 1 1
CVE-2018-8159 Microsoft Exchange Elevation of Privilege Vulnerability Important No No 2 2
CVE-2018-8160 Microsoft Outlook Information Disclosure Vulnerability Important No No N/A 2
CVE-2018-8161 Microsoft Office Remote Code Execution Vulnerability Important No No 2 2
CVE-2018-8162 Microsoft Excel Remote Code Execution Vulnerability Important No No 1 1
CVE-2018-8163 Microsoft Excel Information Disclosure Vulnerability Important No No 1 1
CVE-2018-8164 Win32k Elevation of Privilege Vulnerability Important No No 1 1
CVE-2018-8165 DirectX Graphics Kernel Elevation of Privilege Vulnerability Important No No 1 1
CVE-2018-8166 Win32k Elevation of Privilege Vulnerability Important No No 1 1
CVE-2018-8167 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important No No 1 1
CVE-2018-8168 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No N/A 2
CVE-2018-8173 Microsoft InfoPath Remote Code Execution Vulnerability Important No No 2 2
CVE-2018-8179 Microsoft Edge Memory Corruption Vulnerability Important No No 1 N/A
CVE-2018-8897 Windows Kernel Elevation of Privilege Vulnerability Important No No 3 3
CVE-2018-8136 Windows Remote Code Execution Vulnerability Low No No 2 2
CVE-2018-8153 Microsoft Exchange Spoofing Vulnerability Low No No 2 2

As for the rest of the release, browser bugs are again in the spotlight with 17 Critical- and seven Important- rated browser vulnerabilities patched this month. The Critical bugs allow remote code execution, while the Important bugs are a mix of info disclosure and security feature bypasses. There are also quite a few Office-related patches for May, with the most important being those for Outlook and SharePoint. There’s also an update from Exchange to prevent a command injection attack, although the exploit scenario here involves some social engineering, as well. The .NET Framework has a couple of Important-severity patches, but neither involves code execution. Finally, Windows itself gets its share of patches with kernel updates, a DirectX patch, and some security featured bypasses.

Microsoft also released a patch last week for a Windows Host Compute Service Shim remote code execution bug. However, the vulnerability wasn’t listed as public or under active attack, and while rated Critical, the bug carries an XI of 3 (unlikely to be exploited). It seems odd Microsoft would release this lone patch a week early. Perhaps they were aware of imminent exploitation. Regardless, don’t let this one escape your attention.

This month’s release also contains two oddities – Low-severity patches. The first is an Exchange spoofing vulnerability that could allow an XSS on OWA. Since user interaction is required, the severity gets knocked down. The second is ominously labelled “Windows Remote Code Execution Vulnerability,” but it requires the attacker to already be an authenticated domain user. It’s easy to see why these were lowered in severity rating, and kudos to Microsoft for fixing them regardless.

Finally, Microsoft also released their version of the aforementioned Adobe patch for Flash in Internet Explorer.

Looking Ahead

The next patch Tuesday falls on June 12, and we’ll return with details and patch analysis then. Follow us on Twitter to see the latest and greatest coming from the ZDI program. Until then, happy patching and may all your reboots be smooth and clean!