October 2018 Patch Tuesday: Microsoft fixes 49 flaws, one APT-wielded zero-day

With the October 2018 Patch Tuesday release Microsoft has fixed 49 vulnerabilities, 12 of which are rated “critical.”

Previously known flaws and an actively exploited zero-day

The only zero-day in this batch is CVE-2018-8453, an elevation of privilege vulnerability affecting Windows.

Attackers must first gain access to the system, but then this vulnerability allows them to run arbitrary code in kernel mode and, ultimately, to install programs; view, change, or delete data; or create new accounts with full user rights.

The vulnerability was reported by Kaspersky Lab in August. They say that they detected a very limited number of attacks using this vulnerability against victims in the Middle East.

“During our investigation, we discovered the attackers were using a PowerShell backdoor that has previously been seen exclusively used by the FruityArmor APT. There is also an overlap in the domains used for C2 between this new set of activity and previous FruityArmor campaigns. That makes us assess with medium confidence that FruityArmor is responsible for the attacks leveraging CVE-2018-8453,” the company noted.

The three previously disclosed flaws are as follows:

• CVE-2018-8423 is a remote code execution vulnerability in the Microsoft JET database engine and can be triggered when a victim is tricked into opening a malicious JET Database Engine file.
• CVE-2018-8531 is a memory corruption vulnerability in the Azure IoT Hub Device Client SDK that can allow an attacker to execute arbitrary code in the context of the current user.
• CVE-2018-8497 is an elevation of privilege vulnerability that exists in the way that the Windows Kernel handles objects in memory.

None of these are being currently exploited in the wild.

Prioritizing patches

Animesh Jain, Product Manager, VM Signatures at Qualys, advises administrators to prioritize Browser and Scripting Engine patches for workstations (i.e., any system that is used for email or to access the internet via a browser), as most of the critical vulnerabilities this month are in the Chakra Scripting Engine, Internet Explorer, and Edge.

The Hyper-V patches should also be implemented as soon as possible, as they plug two remote code execution holes that would allow an authenticated user on a guest system to run arbitrary code on the host system.

Trend Micro Zero Day Initiatives’ Dustin Childs pointed out the patch for a vulnerability in Exchange Server that has first been discovered eight years ago. CVE-2010-3190 is a RCE bug that exists in the way that certain applications built using Microsoft Foundation Classes (MFC) handle the loading of DLL files.

“Often referred to as ‘binary planting’ or ‘DLL preloading attacks,’ this class of bugs has [previously] received close to 30 bulletins in total to fix various components. This month, Microsoft identified Exchange Server as another component that requires similar DLL preloading protections,” Childs noted.

“If you have a version of Exchange prior to Exchange Server 2016 Cumulative Update 11, you’ll also need the Visual Studio 2010 patch from MS11-025. This patch accompanies two command injection fixes impacting Exchange this month, which means another rough month of testing and patching for Exchange admins.”

As usual, Adobe followed Microsoft by releasing security updates for several of its products (Flash, Framemaker, Adobe Digital Editions, and the Adobe Technical Communications Suite) but as the Flash update doesn’t contain any security fixes, Microsoft didn’t have to incorporate any.