The September 2018 Security Update Review

September 11, 2018 | Dustin Childs

September is upon us and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.

Adobe Patches for September 2018

Adobe begins the September patch cycle with two update for Flash and ColdFusion addressing a total of 10 CVEs. The Flash update corrects one info disclosure bug, while the ColdFusion patch fixes a mix of code execution and information disclosure bugs. There are multiple critical-rated CVEs remedied by the ColdFusion patch. If you’re using this development tool, definitely get this patch applied.

Microsoft Patches for September 2018

Microsoft released 61 security patches and two advisories covering Internet Explorer (IE), Edge, ChakraCore, Azure, Hyper-V, Windows components, .NET Framework, SQL Server, and Microsoft Office and Office Services. Of the 62 CVEs, 17 are listed as Critical, 43 are rated Important, and one is rated as Moderate in severity. A total of ten of these CVEs came through the ZDI program. Four of these bugs are listed as publicly known at the time of release and one of these is reported as being actively exploited.

Let’s take a closer look at some of the more interesting patches for this month, starting with the issue currently under active attack:

-       CVE-2018-8440 – Windows ALPC Elevation of Privilege Vulnerability
This CVE was publicly disclosed via Twitter back on August 27th and was reportedly seen in malware as soon as September 5th. The bug itself allows attackers to elevate privileges and run code with administrative privileges due to an improper Advanced Local Procedure Call (ALPC). An ALPC is an internal mechanism normally restricted to Windows operating system components. A lack of permissions checking in the Spooler process allows the elevation. This bug should be on the top of everyone’s deployment list.  

-       CVE-2018-8475 - Windows Remote Code Execution Vulnerability
Were it not for the bug already under exploit, this publicly known bug would be at the top of the priority ranking. This CVE could allow an attacker to execute code on a target system just by convincing someone to view an image. That’s all the user interaction needed. Open the wrong image – even through a web browser – and code executes, making this a browse-and-own scenario. Microsoft provides no information on where this is public, but given the severity of the issue and the relative ease of exploitation, expect this one to find its way into exploit kits quickly.

-       CVE-2018-0965, CVE-2018-8439 – Windows Hyper-V Remote Code Execution Vulnerability
These are two different CVEs, but I grouped them together as they have the same exploit scenario and impact. For both cases, a user on a guest virtual machine could execute code on the underlying hypervisor OS. The root cause for both of these bugs goes back to the failure to properly validate user input. Although titled as “remote code execution,” these bugs require an attacker to execute code on the guest OS. If an attacker (or malware) does have the ability to run programs, their code executes on the hypervisor – potentially impacting other guest OSes.

-       CVE-2018-8449 – Device Guard Security Feature Bypass Vulnerability
This bug could allow an unsigned file to appear signed and therefore trusted. Since Device Guard relies on signatures to determine if a file is malicious or not, bypassing these signatures opens the door for malware. Expect this bug to show up in future exploits.

Here’s the full list of CVEs released by Microsoft for September 2018.

CVE Title Severity Public Exploited XI - Latest XI - Older Type
CVE-2018-8440 Windows ALPC Elevation of Privilege Vulnerability Important Yes Yes 1 1 EoP
CVE-2018-8475 Windows Remote Code Execution Vulnerability Critical Yes No 1 1 RCE
CVE-2018-8457 Scripting Engine Memory Corruption Vulnerability Critical Yes No 1 N/A RCE
CVE-2018-8409 ASP.NET Core Denial of Service Important Yes No 2 2 DoS
CVE-2018-0965 Windows Hyper-V Remote Code Execution Vulnerability Critical No No N/A 2 RCE
CVE-2018-8367 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8420 MS XML Remote Code Execution Vulnerability Critical No No 1 1 RCE
CVE-2018-8461 Internet Explorer Memory Corruption Vulnerability Critical No No 1 1 RCE
CVE-2018-8332 Win32k Graphics Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2018-8391 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8421 .NET Framework Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2018-8439 Windows Hyper-V Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2018-8447 Internet Explorer Memory Corruption Vulnerability Critical No No 1 1 RCE
CVE-2018-8456 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8459 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8464 Microsoft Edge PDF Remote Code Execution Vulnerability Critical No No 1 N/A RCE
CVE-2018-8465 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8466 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8467 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8479 Azure IoT SDK Spoofing Vulnerability Important No No N/A N/A Spoof
CVE-2018-8269 Odata Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2018-8335 Windows SMB Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2018-8436 Windows Hyper-V Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2018-8437 Windows Hyper-V Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2018-8438 Windows Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2018-8410 Windows Registry Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2018-8462 DirectX Graphics Kernel Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2018-8428 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2018-8431 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2018-8441 Windows Subsystem for Linux Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2018-8455 Windows Kernel Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2018-8463 Microsoft Edge Elevation of Privilege Vulnerability Important No No 1 N/A EoP
CVE-2018-8468 Windows Elevation of Privilege Vulnerability Important No No 1 N/A EoP
CVE-2018-8469 Microsoft Edge Elevation of Privilege Vulnerability Important No No 1 N/A EoP
CVE-2018-8271 Windows Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2018-8315 Microsoft Scripting Engine Information Disclosure Vulnerability Important No No 2 N/A Info
CVE-2018-8336 Windows Kernel Information Disclosure Vulnerability Important No No N/A 2 Info
CVE-2018-8419 Windows Kernel Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2018-8424 Windows GDI Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2018-8433 Microsoft Graphics Component Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2018-8429 Microsoft Excel Information Disclosure Vulnerability Important No No 2 N/A Info
CVE-2018-8434 Windows Hyper-V Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2018-8442 Windows Kernel Information Disclosure Vulnerability Important No No 1 1 Info
CVE-2018-8443 Windows Kernel Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2018-8444 Windows SMB Information Disclosure Vulnerability Important No No N/A 2 Info
CVE-2018-8445 Windows Kernel Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2018-8446 Windows Kernel Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2018-8452 Scripting Engine Information Disclosure Vulnerability Important No No 1 N/A Info
CVE-2018-8354 Scripting Engine Memory Corruption Vulnerability Important No No 1 N/A RCE
CVE-2018-8366 Microsoft Edge Information Disclosure Vulnerability Important No No 1 N/A RCE
CVE-2018-8392 Microsoft JET Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2018-8393 Microsoft JET Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2018-8430 Word PDF Remote Code Execution Vulnerability Important No No 1 1 RCE
CVE-2018-8331 Microsoft Excel Remote Code Execution Vulnerability Important No No 1 N/A RCE
CVE-2018-8337 Windows Subsystem for Linux Security Feature Bypass Vulnerability Important No No 2 2 SFB
CVE-2018-8435 Windows Hyper-V Security Feature Bypass Vulnerability Important No No 2 2 SFB
CVE-2018-8449 Device Guard Security Feature Bypass Vulnerability Important No No 1 1 SFB
CVE-2018-8470 Internet Explorer Security Feature Bypass Vulnerability Important No No 1 1 SFB
CVE-2018-8425 Microsoft Edge Spoofing Vulnerability Important No No 1 N/A Spoof
CVE-2018-8426 Microsoft Office SharePoint XSS Vulnerability Important No No 2 2 XSS
CVE-2018-8474 Lync for Mac 2011 Security Feature Bypass Vulnerability Moderate No No N/A 2 SFB

Browser bugs again feature prominently in this month’s release with 19 patches for browser-related issues. While use after free (UAF) bugs in browsers is on the decline, researcher focus on browser certainly isn’t as JIT bugs become the new UAF. There’s also a critical-rated bug in MS-XML that could allow a browse-and-own scenario and functionally acts like a browser bug. Developers need to take notice, as several patches impact developer tools. A denial of service bug in ASP.NET Core is listed as publicly known, and a bug in the .NET Framework could allow an RCE to occur. There’s also two patches for the Windows Subsystem for Linux.

Several Windows components receive patches this month, including new fixes for embedded fonts. In addition to the bugs highlighted above, Hyper-V five other fixes for DoS, info disclosure, and security feature bypass issues. Multiple patches cover various graphics components, and the kernel receives its now monthly group of fixes. Several Office components also receive fixes, with the majority of these focused around Excel.

Information disclosure bugs are highlighted this month with 14 being addressed across various components. On their own, these don’t cause much of a problem, but they’re often combined with other vulnerabilities to make them reliable. These go along with the five patches addressing security feature bypasses. In a sense, these fixes can be viewed as asymmetric since their impact goes beyond just these individual code changes. Changes that make exploitation more difficult are always welcome. The September release is rounded out by a moderate-severity security feature bypass in Lync for Mac 2011. Surprisingly, this venerable instant messenger is still available for download.  

There are two advisories to cover this month as well. The first offers workarounds for the “FragmentSmack” DoS (CVE-2018-5391). This was initially discovered in the Linux kernel TCP/IP implementation, but it clearly affects Windows as well. The advisory recommends dropping out-of-order packets with perimeter devices until a full fix is available from Microsoft.

The other advisory covers the Microsoft version of the aforementioned Adobe patch for Flash in Internet Explorer.

Looking Ahead

The next patch Tuesday falls on October 9, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!