August 2018 Patch Tuesday: Microsoft fixes two actively exploited zero-days

In the August 2018 Patch Tuesday, Microsoft has plugged over 60 vulnerabilities, two of which are being actively exploited in the wild. In addition to those, the company has also released a critical update advisory that addresses vulnerabilities found and patched in Adobe Flash.

Exploited zero-days

The two patched zero-days are:

• CVE-2018-8414 – A vulnerability in Windows Shell that can be triggered by a user opening a specially crafted file and could allow the attacker to un arbitrary code in the context of the current user. It is being exploited in the wild through malicious PDF files, but any filetype can do the trick. The vulnerability has actually been patched out-of-band on August 2nd but it has been updated yesterday.
• CVE-2018-8373 – A remote code execution vulnerability affecting the scripting engine in Internet Explorer that can be exploited either via a specially crafted website, specially crafted content or ads on websites, or via an embedded ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine.

“[CVE-2018-8373] is one of the two active attacks this month, and this one was detected just after July’s patch Tuesday. It’s also very similar to the previously patched CVE-2018-8174, which was patched back in May,” says ZDI’s Dustin Childs.

“Analysis from Elliot Cao, the Trend Micro researcher who discovered this, revealed that it used a new UAF vulnerability in vbscript.dll. This UAF occurs when the VBScript engine uses AssignVar to assign a value to the element of an array accessed by AccessArray. Interestingly, the previous CVE was also being actively exploited when patched. In other words, if there are similar bugs to this one, they will likely be found and exploited, too. This patch should be one of your top priorities.”

Patches to prioritize

Jimmy Graham, Director of Product Management at Qualys, says that the browser and Scripting Engine patches should be prioritized for workstation-type devices.

“Microsoft has disclosed that CVE-2018-8373 has active exploits against Internet Explorer, making these patches a high priority. The PDF viewer, Windows Font Library, and GDI+ also have patches available that require a user to interact with a malicious site or file,” he notes.

CVE-2018-8345, a Windows RCE that could allow remote code execution if a malicious .LNK file is processed. “This patch should be prioritized for both workstations and servers, as the user does not need to click the file to exploit. Simply viewing a malicious LNK file can execute code as the logged-in user,” Graham explained.

Another critical flaw that has to be fixed quickly is CVE-2018-8345, a memory corruption vulnerability affecting Microsoft Exchange that could lead to remote code execution. Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Exchange server.

“Exchange patches are always frightening – no one wants to be the one that crashed the email server – but this bug is certainly nothing to overlook,” says Childs. More information about the flaw and a demonstration of the attack can be found here.

Administrators should also be aware of a vulnerability (CVE-2018-8340) in Microsoft Active Directory Federation Services (ADFS) that could allows attackers to bypass multi-factor authentication safeguards employed by enterprises.

Finally, Microsoft has also released updates and advice for mitigating the risk brought on by:

• The newly revealed speculative execution side channel issue known as L1 Terminal Fault (L1TF). The issue (three distinct CVE-numbered vulnerabilities) affects Intel Core processors and Intel Xeon processors.
• The Lazy FP State Restore issue (allowing side channel speculative execution) revealed in June 2018.