It’s that time of the month again when Microsoft releases patches for its software. The June 2018 updates fix 50 vulnerabilities, 12 of which are critical.
The company has also detailed the vulnerabilities patched by Adobe and delivered via Microsoft’s updates (among those is the Flash Player flaw recently spotted being exploited in the wild) and released an update for Microsoft Office that improves the memory handling of Office applications that render Office Art (as a defense in depth measure).
None of the fixed vulnerabilities is being actively exploited.
CVE 2018-8267, a critical flaw affecting the Windows Scripting Engine, was disclosed without a patch earlier this month. It was reported by Trend Micro’s Zero Day Initiative to Microsoft in January and by June the 120 day disclosure deadline mandated by ZDI had passed.
“Luckily there is no known public exploit for this vulnerability,” notes Karl Sigler, a Threat Intelligence Manager at Trustwave.
“In addition, the vulnerability only allows code execution inside a ‘sandbox’ that is implemented specifically to limit the damage from exploits like this. In order to be used for something like malware installation a criminal would need to chain an exploit for this vulnerability with a second exploit to break out of the sandbox. These two factors should hopefully give the public some time to apply patches before this vulnerability presents a real threat.”
Other vulnerabilities of note are CVE-2018-8225, CVE-2018-8231 and CVE-2018-8140
CVE-2018-8225 is a remote code execution vulnerability affecting the Windows DNSAPI. Trend Micro ZDI’s Dustin Childs says it’s the most critical one this month, and that he has a feeling we’ll be hearing about this bug for a while.
“This vulnerability could allow an attacker to execute code at the local system level if they can get a crafted response to the target server,” he explained.
“The attacker could attempt to man-in-the-middle a legitimate query. The more likely scenario is simply tricking a target DNS server into querying an evil server that sends the corrupted response – something that can be done from the command line. It’s also something that could be easily scripted. This means there’s a SYSTEM-level bug in a listening service on critical infrastructure servers, which also means this is wormable.”
CVE-2018-8231 affects HTTP.sys, the kernel-mode protocol listener that is used by IIS and various services in Windows, and can be similarly exploited by sending a malformed (HTTP) packet to a target server.
CVE-2018-8140 is an elevation of privilege flaw and arises from the fact that Cortana retrieves data from user input services without consideration for status, but can be exploited only if Cortana assitance is enabled, and only by an attacker that has physical/console access.
Jimmy Graham, Director of Product Management at Qualys, added that Microsoft also released patches for Speculative Store Bypass, also known as Spectre Variant 4.
“These patches enable Speculative Store Bypass Disable (SSBD) for Intel processors. New Intel microcode will be required to be fully protected against Variant 4. Microsoft has released an article with recommended actions,” he pointed out.
Clearing up things for security researchers
Lastly, it’s good to mention that Microsoft has also published on Tuesday a draft copy of a document that explains to security researchers how it decides which flaws will be patched via security updates and which in the next version or release of an offering, how they rate bugs, and more.
The company is looking for feedback from researchers and, presumably, will take it into consideration when making eventual changes to the final version of the document.