The August 2018 Security Update Review

August 14, 2018 | Dustin Childs

August is here and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.

Adobe Patches for August 2018

Adobe released a total of four patches for August correcting 11 CVEs in Adobe Flash, Acrobat, Experience Manager, and the Adobe Creative Cloud Desktop Application. The release begins with a critical-rated Flash update addressing five CVEs, one of which came through the ZDI program. The worst of these bugs could allow remote code execution, while the others patched involve info disclosure. There’s also a patch for Adobe Acrobat that addresses two CVEs, with one of those CVEs coming from ZDI researcher Abdul-Aziz Hariri. While Acrobat updates are generally quarterly, this update follows last month’s monster release. It corrects a pair of Critical-severity bugs and provides additional protections to augment CVE-2018-8414, which is described in more detail below.

The patch for Adobe Experience Manager corrects three Moderate-rated CVEs, all of which involve some form of information disclosure. The final patch from Adobe for August fixes a single DLL hijacking vulnerability in the Creative Cloud Desktop Application. None of the issues patched by Adobe this month are listed as under active attack. However, the defense-in-depth changes in Acrobat will help against the active attacks against the Windows shell as described below.

Microsoft Patches for August 2018

Microsoft released 60 security patches for August covering Internet Explorer (IE), Edge, ChakraCore, Windows components, .NET Framework, SQL Server, as well as Microsoft Office and Office Services. Of these 60 CVEs, 20 are listed as Critical, 38 are rated Important, one is rated as Moderate, and one is rated as Low in severity. Thierteen of these CVEs came through the ZDI program. Two of these bugs are listed as publicly known and under active attack at the time of release.

Let’s take a closer look at some of the more interesting patches for this month, starting with the issue currently under active attack:

-       CVE-2018-8373 – Internet Explorer Memory Corruption Vulnerability
This is one of the two active attacks this month, and this one was detected just after July’s patch Tuesday. It’s also very similar to the previously patched CVE-2018-8174, which was patched back in May. Analysis from Elliot Cao, the Trend Micro researcher who discovered this, revealed that it used a new UAF vulnerability in vbscript.dll. This UAF occurs when the VBScript engine uses AssignVar to assign a value to the element of an array accessed by AccessArray. Interestingly, the previous CVE was also being actively exploited when patched. In other words, if there are similar bugs to this one, they will likely be found and exploited, too. This patch should be one of your top priorities.

-       CVE-2018-8414 – Windows Shell Remote Code Execution Vulnerability
The other active attack patched today involves the Windows Shell and invalid file paths. As mentioned above, this bug also impacts Adobe Acrobat, since it allows various file types to be embedded within Reader. The Acrobat patch blocks the embedding of certain files types – a tactic Microsoft has already done with Office 365 docs. This patch prevents the bypassing of traditional file execution restrictions within Windows. It’s fascinating to see exploit authors combine different products to evade detection and proliferate their malware. Even though this is only rated Important in severity, this is another patch that should be pushed out quickly.

-       CVE-2018-8302 – Microsoft Exchange Memory Corruption Vulnerability
Here’s another bug that came through our program. This one could allow non-privileged Exchange users to run arbitrary code as "NT AUTHORITY\SYSTEM" in the Exchange Server through a .NET BinaryFormatter Deserialization vulnerability. It requires Unified Messaging (UM) be enabled, but that’s a relatively common scenario. Rather than go through the details here, just check out this blog from our team with all the details and a demonstration video. Exchange patches are always frightening – no one wants to be the one that crashed the email server – but this bug is certainly nothing to overlook.

-       CVE-2018-8360.NET Framework Information Disclosure Vulnerability
On the surface, an information disclosure vulnerability in .NET doesn’t seem too bad. However, this particular bug could allow an attacker to access information in multi-tenant environments. It appears to mostly impact high-load/high-density environments as an attacker could potentially blend different network streams together. This could expose data from one customer to another, although it’s not clear exactly what type of data is disclosed.

Here’s the full list of CVEs released by Microsoft for August 2018.

CVE Title Severity Public Exploited XI - Latest XI - Older Type
CVE-2018-8373 Internet Explorer Memory Corruption Vulnerability Critical Yes Yes 2 0 RCE
CVE-2018-8414 Windows Shell Remote Code Execution Vulnerability Important Yes Yes 1 1 RCE
CVE-2018-8273 Microsoft SQL Server Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2018-8302 Microsoft Exchange Memory Corruption Vulnerability Critical No No 2 2 RCE
CVE-2018-8344 Microsoft Graphics Remote Code Execution Vulnerability Critical No No 1 1 RCE
CVE-2018-8345 LNK Remote Code Execution Vulnerability Critical No No 1 1 RCE
CVE-2018-8350 Windows PDF Remote Code Execution Vulnerability Critical No No 2 N/A RCE
CVE-2018-8355 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8359 Scripting Engine Information Disclosure Vulnerability Critical No No 1 N/A Info
CVE-2018-8371 Internet Explorer Memory Corruption Vulnerability Critical No No 1 1 RCE
CVE-2018-8372 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8377 Microsoft Edge Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2018-8380 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8381 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8384 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8385 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8387 Microsoft Edge Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8390 Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2018-8397 GDI+ Remote Code Execution Vulnerability Critical No No N/A 2 RCE
CVE-2018-8403 Microsoft Browser Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-0952 Diagnostic Hub Standard Collector Elevation Of Privilege Vulnerability Important No No 2 2 EoP
CVE-2018-8200 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability Important No No 2 2 SFB
CVE-2018-8204 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability Important No No 2 2 SFB
CVE-2018-8253 Cortana Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2018-8266 Chakra Scripting Engine Memory Corruption Vulnerability Important No No 1 N/A RCE
CVE-2018-8316 Internet Explorer Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2018-8339 Windows Installer Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2018-8340 ADFS Security Feature Bypass Vulnerability Important No No 2 2 SFB
CVE-2018-8341 Windows Kernel Information Disclosure Vulnerability Important No No 2 2 info
CVE-2018-8342 Windows NDIS Elevation of Privilege Vulnerability Important No No N/A 2 EoP
CVE-2018-8343 Windows NDIS Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2018-8346 LNK Remote Code Execution Vulnerability Important No No N/A 2 RCE
CVE-2018-8347 Windows Kernel Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2018-8348 Windows Kernel Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2018-8349 Microsoft COM for Windows Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2018-8351 Microsoft Edge Information Disclosure Vulnerability Important No No 2 N/A Info
CVE-2018-8353 Scripting Engine Memory Corruption Vulnerability Important No No 1 1 RCE
CVE-2018-8357 Internet Explorer Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2018-8358 Microsoft Edge Information Disclosure Vulnerability Important No No 2 N/A Info
CVE-2018-8360 .NET Framework Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2018-8370 Microsoft Edge Information Disclosure Vulnerability Important No No 2 N/A Info
CVE-2018-8375 Microsoft Excel Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2018-8376 Microsoft PowerPoint Remote Code Exectuion Vulnerability Important No No 1 1 RCE
CVE-2018-8378 Microsoft Office Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2018-8379 Microsoft Excel Remote Code Execution Vulnerability Important No No 1 1 RCE
CVE-2018-8382 Microsoft Excel Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2018-8383 Microsoft Edge Spoofing Vulnerability Important No No 1 N/A Spoof
CVE-2018-8389 Internet Explorer Memory Corruption Vulnerability Important No No 1 1 RCE
CVE-2018-8394 Windows GDI Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2018-8396 Windows GDI Information Disclosure Vulnerability Important No No N/A 2 Info
CVE-2018-8398 Windows GDI Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2018-8399 Win32k Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2018-8400 DirectX Graphics Kernel Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2018-8401 DirectX Graphics Kernel Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2018-8404 Win32k Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2018-8405 DirectX Graphics Kernel Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2018-8406 DirectX Graphics Kernel Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2018-8412 Microsoft (MAU) Office Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2018-8374 Microsoft Exchange Elevation of Privilege Vulnerability Moderate No No 3 3 EoP
CVE-2018-8388 Microsoft Edge Elevation of Privilege Vulnerability Low No No 2 N/A EoP

This month’s updates also includes patches for two .LNK bugs reported through the ZDI program. If .LNK bugs sound familiar to you, that’s likely due to one being used in the Stuxnet malware that remained one of the most widely exploited software flaws for years to come. There’s no indication these bugs are being actively used, but the sight of them certainly triggers some memories. The majority of the other Critical-rated bugs again involve Microsoft’s stable of web browsers with 13 of the 20 Critical bugs affecting browsers.

Folks should also pay special attention to CVE-2018-8273, which could allow an attacker to execute code on SQL Servers. While most think of command injection or SQL injection bugs with SQL Server (remember Bobby Tables?), this bug is actually a buffer overflow. Rounding out the Critical-rated bugs are a couple of graphics components that could lead to browse-and-own scenarios and a Windows PDF reader bug. However, it should be noted that this PDF reader flaw will mostly impact Windows 10 systems with Microsoft Edge set as the default browser. If this isn’t your scenario, the browse-and-own scenario doesn’t work. An attacker would have to entice someone into opening a malicious PDF document.

Taking a look at the Important-rated patches, most involve some form of elevation of privilege. The majority of these are in Windows components, which require an attacker to execute a program on the system to elevate, or an Office component, which requires an attacker to convince a user to open a malicious file. There are a few Important-rated security feature bypasses, information disclosure, and spoofing bugs corrected this month as well. The August patches round out with a Moderate-rated Exchange bug and a Low-rated Edge bug that seems custom tailored for spear phishing campaigns since the bugs leads users to believe they’re on a legitimate website.

There are several advisories to cover this month as well. The first advisory provides additional guidance to mitigate a new speculative execution side-channel vulnerability known as Lazy FP State Restore. Previous speculative execution side-channel vulnerabilities are better known as Spectre and Meltdown. This new variant was discovered back in June and impacts Intel processors. Along those same lines, ADV180018 provides additional guidance to mitigate a new speculative execution side-channel vulnerability known as L1 Terminal Fault (L1TF). This new variant affects Intel processors and adds three new CVEs to the growing list of side-channel-related attacks. Next up, there’s an advisory for Office that “provides enhanced security as a defense in depth measure.” That’s the extent of the detail provided. Since Outlook is the only affected product listed, we can only assume the change is somehow email related. Finally, Microsoft released their version of the aforementioned Adobe patch for Flash in Internet Explorer.

Looking Ahead

The next patch Tuesday falls on September 11, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!