The July 2018 Security Update Review

July 10, 2018 | Dustin Childs

July is here and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.

Adobe Patches for July 2018

This month, Adobe released four patches for Flash, Adobe Reader, Experience Manager, and Adobe Connect. The patch for Adobe Flash is quite small this month with only two CVEs being addressed. The first is a type confusion bug submitted through the ZDI program that could lead to remote code execution. The other bug is a less severe information disclosure vulnerability due to an out-of-bounds Read. The patch for Experience Manager fixes three information disclosure bugs. The Connect patch also fixes three bugs, with two being authentication bypasses and one being an insecure library load.

Unlike these others, the Acrobat patch is enormous, with 107 CVEs being addressed in whole. A total of 68 of these CVEs came through the ZDI program. With so many issues being fixed, it’s hard to pull out any specific ones to highlight. The types of bugs fixed by this patch include out-of-bounds reads, out-of-bounds writes, heap overflows, type confusions, and use-after-frees.  The worst of these could allow an attacker’s code to execute by opening a malicious PDF. While it’s good to see Adobe address so many issues at once, it’s a bit troubling that Adobe needs to address so many bugs at once.  

Microsoft Patches for July 2018

Microsoft released 53 security patches for July covering Internet Explorer (IE), Edge, ChakraCore, Windows, .NET Framework, ASP.NET, PowerShell, Visual Studio, and Microsoft Office and Office Services. Of these 53 CVEs, 18 are listed as Critical, 33 are rated Important, one is rated as Moderate, and one is rated as Low in severity. Five of these CVEs came through the ZDI program. None of the bugs patched this month are listed as publicly known or under active attack at the time of release.

Let’s take a closer look at some of the more interesting patches for this month:

-       CVE-2018-8304 - Windows DNSAPI Denial of Service Vulnerability
While not a severe as last month’s wormable CVE-2018-8225, this bug could allow remote attackers to shut down a DNS server through merely a malformed DNS response. Again, that’s better than code execution, but it’s never good when an adversary can remotely shut down a part of your critical infrastructure.

-       CVE-2018-8310 - Microsoft Office Tampering Vulnerability
At first glance, this seems like a relatively typical Office vulnerability in that opening a malicious file leads to bad things. In this case, there’s a different wrinkle that opens some interesting possibilities. An attacker exploiting this vulnerability could embed untrusted TrueType fonts into an email. Bugs in fonts have been popular since 2013 and have been used in malware attacks in the past. This bug could allow them to spread and possibly even bypass traditional filters. That’s likely the reason Microsoft chose to go ahead and release a patch for this Low-rated vulnerability.

-       CVE-2018-8306 - Microsoft Wireless Display Adapter Command Injection Vulnerability
When I first read the title, I was hoping for a bug that allowed an attacker to hijack a wireless display. This is not that bug. This vulnerability requires authentication and could cause the display to malfunction. While the bug itself isn’t that bad, the update scenario sounds taxing. The patch is a firmware update. To get the new firmware, it has to be downloaded from the Wireless Display Adapter App available in the Microsoft App Store. That doesn’t sound like something easily automated. From a sysadmin’s perspective, this patch will be very labor intensive to roll out.

-       CVE-2018-8319 - MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability
This bug allows an attacker to generate signatures that mimic the entity associated with a public/private key pair. While this doesn’t appear to circumvent authentic public/private key pairs, it likely can be used by malware authors to make their attacks appear genuine.

Here’s the full list of CVEs released by Microsoft for June 2018. We’ve added a column showing the type of vulnerability being addressed. Let us know what you think.

CVE Title Severity Public Exploited XI - Latest XI - Older Type
CVE-2018-8242 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1 RCE
CVE-2018-8262 Microsoft Edge Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8274 Microsoft Edge Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8275 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1 RCE
CVE-2018-8279 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1 RCE
CVE-2018-8280 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 1 RCE
CVE-2018-8283 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1 RCE
CVE-2018-8286 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 1 RCE
CVE-2018-8288 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1 RCE
CVE-2018-8289 Microsoft Edge Information Disclosure Vulnerability Critical No No 1 1 Info
CVE-2018-8290 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 1 RCE
CVE-2018-8291 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1 RCE
CVE-2018-8294 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 1 RCE
CVE-2018-8296 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1 RCE
CVE-2018-8298 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 1 RCE
CVE-2018-8301 Microsoft Edge Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8324 Microsoft Edge Information Disclosure Vulnerability Critical No No 1 N/A Info
CVE-2018-8327 PowerShell Editor Services Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2018-0949 Internet Explorer Security Feature Bypass Vulnerability Important No No 1 1 SFB
CVE-2018-8125 Chakra Scripting Engine Memory Corruption Vulnerability Important No No 1 1 SFB
CVE-2018-8171 ASP.NET Core Security Feature Bypass Vulnerability Important No No 3 3 SFB
CVE-2018-8172 Visual Studio Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2018-8202 .NET Framework Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2018-8206 Windows FTP Server Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2018-8222 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability Important No No 2 2 SFB
CVE-2018-8325 Microsoft Edge Information Disclosure Vulnerability Important No No 2 N/A Info
CVE-2018-8238 Skype for Business and Lync Security Feature Bypass Vulnerability Important No No 2 2 SFB
CVE-2018-8260 .NET Framework Remote Code Execution Vulnerability Important No No 3 N/A RCE
CVE-2018-8276 Scripting Engine Security Feature Bypass Vulnerability Important No No 2 2 SFB
CVE-2018-8278 Microsoft Edge Spoofing Vulnerability Important No No 1 N/A Spoof
CVE-2018-8281 Microsoft Office Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2018-8282 Win32k Elevation of Privilege Vulnerability Important No No 3 1 EoP
CVE-2018-8284 .NET Framework Remote Code Injection Vulnerability Important No No 2 2 RCE
CVE-2018-8287 Scripting Engine Memory Corruption Vulnerability Important No No 1 1 RCE
CVE-2018-8297 Microsoft Edge Information Disclosure Vulnerability Important No No 1 N/A Info
CVE-2018-8299 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2018-8300 Microsoft SharePoint Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2018-8304 Windows DNSAPI Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2018-8305 Windows Mail Client Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2018-8306 Microsoft Wireless Display Adapter Command Injection Vulnerability Important No No 2 2 RCE
CVE-2018-8307 WordPad Security Feature Bypass Vulnerability Important No No 2 2 SFB
CVE-2018-8308 Windows Kernel Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2018-8309 Windows Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2018-8311 Remote Code Execution Vulnerability in Skype For Business and Lync Important No No 2 2 RCE
CVE-2018-8312 Microsoft Access Remote Code Execution Use After Free Vulnerability Important No No 2 2 RCE
CVE-2018-8313 Windows Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2018-8314 Windows Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2018-8319 MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability Important No No 2 2 SFB
CVE-2018-8323 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2018-8326 Open Source Customization for Active Directory Federation Services XSS Vulnerability Important No No N/A N/A Spoof
CVE-2018-8356 .NET Framework Security Feature Bypass Vulnerability Important No No 3 3 SFB
CVE-2018-8310 Microsoft Office Tampering Vulnerability Low No No 2 2 Tampering
CVE-2018-8232 Microsoft Macro Assembler Tampering Vulnerability Moderate No No N/A N/A Tampering

As for the rest of the release, browser-related bugs remain in the spotlight, with 17 of the 18 Critical-rated bugs being some form of bug in either IE, Edge, or ChakraCore. This continues the trend we’ve been seeing of JIT bugs increasing in browsers. Microsoft implemented UAF mitigations back in 2014. It will be interesting to see if they can do something similar for these types of bugs in the future.

The July release also includes a mixture of Office bugs, with the most important ones affecting SharePoint and Skype for Business. There’s also a patch for a DoS bug in the FTP server. You may think that only affects Windows Server, but the Windows 7, 8, and 10 desktop OSes also include an FTP service for some reason. Everything will need that patch (reboot included).

Patches are also available for the .NET Framework and Visual Studio. Of the two RCE bugs in .NET, one requires a user to open a malicious file with .NET. The other has a more realistic attack scenario where an attacker could pass specific input to an application utilizing susceptible .NET methods. That results in code execution with elevated privileges. One of the Visual Studio bugs is also curious. Tampering bugs aren’t too common, but CVE-2018-8232 certainly qualifies. This bug in the Macro Assembler allows an attacker to introduce code into an application that modifies data within the app in an “unintended” manner. There’s a bunch of scenarios where this could prove fascinating to watch, but they all end up sounding like a plot device in a Mission Impossible movie.

The release is rounded out with kernel updates, a mail client update, a patch for PowerShell, and patch to shut down a sandbox escape in Windows. Finally, Microsoft released their version of the aforementioned Adobe patch for Flash in Internet Explorer.

Looking Ahead

The next patch Tuesday falls on August 14, and we’ll return with details and patch analysis then. Also, if you haven’t read it, take a few moments to look at the recap covering the program highlights for the first six months of this year. Follow us on Twitter to see the latest and greatest coming from the ZDI program. Until then, happy patching and may all your reboots be smooth and clean!