Microsoft's monthly Patch Tuesday security updates are out, and for August 2018, the Redmond-based OS maker has fixed 60 security flaws, including two zero-days under active attacks.
The two zero-days are CVE-2018-8414 and CVE-2018-8373.
The SettingContent-ms debacle
Microsoft describes CVE-2018-8414 as a vulnerability in the Windows Shell, but in reality, this refers to the use of SettingContent-ms files —aka Windows 10 control panel shortcuts— for malware distribution.
Bleeping Computer previously reported on this topic in June when a SpecterOps researcher showed how hackers could abuse these types of files to eecute malicious code on users' PCs.
We also reported when malware authors started experimenting with this technique a month later in early July, and again in mid-July when Microsoft intervened and blocked the embedding of SettingContent-ms files inside Outlook and Office 365 documents.
With today's updates, Microsoft has taken Windows 10 defenses a step further by ensuring that the Windows Shell properly validates file paths when executing SettingContent-ms files, preventing the original trick detailed by the SpecterOps researcher from working.
The IE zero-day
The second zero-day fixed this month is CVE-2018-8373, which Microsoft describes as "a remote code execution vulnerability [that] exists in the way that the scripting engine handles objects in memory in Internet Explorer."
Exploiting this flaw allows an attacker to run malicious code with the user's privilege. If the user is using an admin account, as most users tend to do on Windows, then the malicious code can wreak some serious havoc.
The zero-day can be exploited via web-based attacks if a user is accessing a malicious website via Internet Explorer, but also via email spam if a user opens documents in applications that embed the IE rendering engine.
Microsoft said details about this vulnerability became public and the company also recorded attacks using this flaw before today's updates. Bleeping Computer was unable to find any details about past campaigns. Microsoft credited security researcher Elliot Cao for discovering CVE-2018-8373.
Security advisories
On top of this, the Microsoft August 2018 Patch Tuesday also includes three security advisories that include patches for non-Windows security issues that the OS maker deemed critical enough to embed within its regular OS updates.
The first is ADV180018, which is a security advisory containing updates for the L1TF/Foreshadow vulnerability that affects Intel CPUs. More detailed info on this is available in a separate Bleeping Computer article.
The second is ADV180020. This security advisory includes this month's Adobe Flash Player fixes, detailed in a separate Bleeping Computer article here.
The third is ADV180021, also known as the "Microsoft Office Defense in Depth Update," which, obviously, contains security updates for Microsoft Office vulnerabilities.
Below is a table listing of all the security issues Microsoft fixed this month. We used PowerShell and the Microsoft API to assemble the table below, but the report is much longer. We hosted the full report on GitHub, here.
If you're not interested in all security updates and you'd like to filter updates per product, you can use Microsoft's official Security Update Guide, available here.
Tag | CVE ID | CVE Title |
---|---|---|
Microsoft Windows | ADV180018 | Microsoft Guidance to mitigate L1TF variant |
Adobe Flash Player | ADV180020 | August 2018 Adobe Flash Security Update |
Microsoft Office | ADV180021 | Microsoft Office Defense in Depth Update |
.NET Framework | CVE-2018-8360 | .NET Framework Information Disclosure Vulnerability |
Device Guard | CVE-2018-8200 | Device Guard Code Integrity Policy Security Feature Bypass Vulnerability |
Device Guard | CVE-2018-8204 | Device Guard Code Integrity Policy Security Feature Bypass Vulnerability |
Internet Explorer | CVE-2018-8316 | Internet Explorer Remote Code Execution Vulnerability |
Microsoft Browsers | CVE-2018-8351 | Microsoft Browser Information Disclosure Vulnerability |
Microsoft Browsers | CVE-2018-8403 | Microsoft Browser Memory Corruption Vulnerability |
Microsoft Browsers | CVE-2018-8357 | Microsoft Browser Elevation of Privilege Vulnerability |
Microsoft Edge | CVE-2018-8388 | Microsoft Edge Spoofing Vulnerability |
Microsoft Edge | CVE-2018-8377 | Microsoft Edge Memory Corruption Vulnerability |
Microsoft Edge | CVE-2018-8383 | Microsoft Edge Spoofing Vulnerability |
Microsoft Edge | CVE-2018-8387 | Microsoft Edge Memory Corruption Vulnerability |
Microsoft Edge | CVE-2018-8370 | Microsoft Edge Information Disclosure Vulnerability |
Microsoft Edge | CVE-2018-8358 | Microsoft Edge Security Feature Bypass Vulnerability |
Microsoft Exchange Server | CVE-2018-8374 | Microsoft Exchange Server Tampering Vulnerability |
Microsoft Exchange Server | CVE-2018-8302 | Microsoft Exchange Memory Corruption Vulnerability |
Microsoft Graphics Component | CVE-2018-8397 | GDI+ Remote Code Execution Vulnerability |
Microsoft Graphics Component | CVE-2018-8400 | DirectX Graphics Kernel Elevation of Privilege Vulnerability |
Microsoft Graphics Component | CVE-2018-8398 | Windows GDI Information Disclosure Vulnerability |
Microsoft Graphics Component | CVE-2018-8406 | DirectX Graphics Kernel Elevation of Privilege Vulnerability |
Microsoft Graphics Component | CVE-2018-8405 | DirectX Graphics Kernel Elevation of Privilege Vulnerability |
Microsoft Graphics Component | CVE-2018-8401 | DirectX Graphics Kernel Elevation of Privilege Vulnerability |
Microsoft Graphics Component | CVE-2018-8344 | Microsoft Graphics Remote Code Execution Vulnerability |
Microsoft Graphics Component | CVE-2018-8396 | Windows GDI Information Disclosure Vulnerability |
Microsoft Graphics Component | CVE-2018-8394 | Windows GDI Information Disclosure Vulnerability |
Microsoft Office | CVE-2018-8375 | Microsoft Excel Remote Code Execution Vulnerability |
Microsoft Office | CVE-2018-8376 | Microsoft PowerPoint Remote Code Execution Vulnerability |
Microsoft Office | CVE-2018-8379 | Microsoft Excel Remote Code Execution Vulnerability |
Microsoft Office | CVE-2018-8378 | Microsoft Office Information Disclosure Vulnerability |
Microsoft Office | CVE-2018-8382 | Microsoft Excel Information Disclosure Vulnerability |
Microsoft Office | CVE-2018-8412 | Microsoft (MAU) Office Elevation of Privilege Vulnerability |
Microsoft Scripting Engine | CVE-2018-8389 | Scripting Engine Memory Corruption Vulnerability |
Microsoft Scripting Engine | CVE-2018-8385 | Scripting Engine Memory Corruption Vulnerability |
Microsoft Scripting Engine | CVE-2018-8355 | Scripting Engine Memory Corruption Vulnerability |
Microsoft Scripting Engine | CVE-2018-8371 | Scripting Engine Memory Corruption Vulnerability |
Microsoft Scripting Engine | CVE-2018-8372 | Scripting Engine Memory Corruption Vulnerability |
Microsoft Scripting Engine | CVE-2018-8353 | Scripting Engine Memory Corruption Vulnerability |
Microsoft Scripting Engine | CVE-2018-8373 | Scripting Engine Memory Corruption Vulnerability |
Microsoft Scripting Engine | CVE-2018-8380 | Chakra Scripting Engine Memory Corruption Vulnerability |
Microsoft Scripting Engine | CVE-2018-8390 | Scripting Engine Memory Corruption Vulnerability |
Microsoft Scripting Engine | CVE-2018-8381 | Chakra Scripting Engine Memory Corruption Vulnerability |
Microsoft Scripting Engine | CVE-2018-8266 | Chakra Scripting Engine Memory Corruption Vulnerability |
Microsoft Scripting Engine | CVE-2018-8359 | Scripting Engine Memory Corruption Vulnerability |
Microsoft Scripting Engine | CVE-2018-8384 | Chakra Scripting Engine Memory Corruption Vulnerability |
Microsoft Windows | CVE-2018-8346 | LNK Remote Code Execution Vulnerability |
Microsoft Windows | CVE-2018-8345 | LNK Remote Code Execution Vulnerability |
Microsoft Windows PDF | CVE-2018-8350 | Windows PDF Remote Code Execution Vulnerability |
SQL Server | CVE-2018-8273 | Microsoft SQL Server Remote Code Execution Vulnerability |
Windows Authentication Methods | CVE-2018-8340 | AD FS Security Feature Bypass Vulnerability |
Windows COM | CVE-2018-8349 | Microsoft COM for Windows Remote Code Execution Vulnerability |
Windows Diagnostic Hub | CVE-2018-0952 | Diagnostic Hub Standard Collector Elevation Of Privilege Vulnerability |
Windows Installer | CVE-2018-8339 | Windows Installer Elevation of Privilege Vulnerability |
Windows Kernel | CVE-2018-8341 | Windows Kernel Information Disclosure Vulnerability |
Windows Kernel | CVE-2018-8404 | Win32k Elevation of Privilege Vulnerability |
Windows Kernel | CVE-2018-8347 | Windows Kernel Elevation of Privilege Vulnerability |
Windows Kernel | CVE-2018-8348 | Windows Kernel Information Disclosure Vulnerability |
Windows Kernel | CVE-2018-8399 | Win32k Elevation of Privilege Vulnerability |
Windows NDIS | CVE-2018-8343 | Windows NDIS Elevation of Privilege Vulnerability |
Windows RNDIS | CVE-2018-8342 | Windows NDIS Elevation of Privilege Vulnerability |
Windows Shell | CVE-2018-8414 | Windows Shell Remote Code Execution Vulnerability |
Windows Shell | CVE-2018-8253 | Microsoft Cortana Elevation of Privilege Vulnerability |
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now