Microsoft Tuesday August 2018

Microsoft released its monthly set of security advisories today for vulnerabilities that have been identified and addressed in various products. This month’s advisory release addresses 62 new vulnerabilities, 20 of which are rated “critical,” 38 that are rated “important,” one that is rated moderate and one that is rated as low severity. These vulnerabilities impact Windows Operating System, Edge and Internet Explorer, along with several other products.

In addition to the 60 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180020 which addresses the vulnerabilities described in the Adobe Flash Security Bulletin APSB18-25.

Critical Vulnerabilities

This month, Microsoft is addressing 20 vulnerabilities that are rated “critical.” Talos believes 10 of these are notable and require prompt attention.

CVE-2018-8273 is a remote code execution vulnerability in the Microsoft SQL Server that could allow an attacker who successfully exploits the vulnerability to execute code in the context of the SQL Server Database Engine Service account.

CVE-2018-8302 is a remote code execution vulnerability in the Microsoft Exchange email and calendar software that could allow an attacker who successfully exploits the vulnerability to run arbitrary code in the context of the system user when the software fails to properly handle objects in memory.

CVE-2018-8344 is a remote code execution vulnerability that exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploits this vulnerability could take control of the affected system. This vulnerability can be exploited in multiple ways. By leveraging a web-based attack, an attacker can convince a user to visit a web page that has been specially crafted to exploit this vulnerability. This could be in the form of an attacker-controlled webpage, or simply a page that hosts external content, such as advertisements. An attacker can also provide a specially crafted document that is designed to exploit the vulnerability, and then convince users to open the document file.

CVE-2018-8350 is a remote code execution vulnerability that exists when the Microsoft Windows PDF Library improperly handles objects in memory. An attacker who successfully exploits the vulnerability could gain the same user rights as the current user. The vulnerability can be exploited simply by viewing a website that hosts a malicious PDF file on a Windows 10 system with Microsoft Edge set as the default browser. On other affected systems, that do not render PDF content automatically, an attacker would have to convince users to open a specially crafted PDF document, such as a PDF attachment to an email message.

CVE-2018-8266, CVE-2018-8355, CVE-2018-8380, CVE-2018-8381 and CVE-2018-8384 are remote code execution vulnerabilities that exist in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. An attacker who successfully exploits the vulnerability can potentially gain the same user rights as the current user. This vulnerability could be leveraged in web-based attacks where a user is convinced to visit a web page that has been specially crafted to exploit this vulnerability. This could be in the form of an attacker-controlled webpage, or simply a page that hosts external content, such as advertisements.

CVE-2018-8397 is a remote code execution vulnerability that exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploits this vulnerability could take control of the affected system. This vulnerability can be exploited in multiple ways. By leveraging a web-based attack, an attacker can convince a user to visit a webpage that has been specially crafted to exploit this vulnerability. This could be in the form of an attacker-controlled webpage, or simply a page that hosts external content, such as advertisements. An attacker can also provide a specially crafted document file that is designed to exploit the vulnerability, and then convince users to open the document file.

Other vulnerabilities deemed “critical” are listed below:

CVE-2018-8345 LNK Remote Code Execution Vulnerability

CVE-2018-8359 Scripting Engine Memory Corruption Vulnerability

CVE-2018-8371 Scripting Engine Memory Corruption Vulnerability

CVE-2018-8372 Scripting Engine Memory Corruption Vulnerability

CVE-2018-8373 Scripting Engine Memory Corruption Vulnerability

CVE-2018-8377 Microsoft Edge Memory Corruption Vulnerability

CVE-2018-8385 Scripting Engine Memory Corruption Vulnerability

CVE-2018-8387 Microsoft Edge Memory Corruption Vulnerability

CVE-2018-8390 Scripting Engine Memory Corruption Vulnerability

CVE-2018-8403 Microsoft Browser Memory Corruption Vulnerability

Important Vulnerabilities

This month, Microsoft is addressing 38 vulnerabilities that are rated “important.” Talos believes two of these are notable and require prompt attention.

CVE-2018-8200 is a vulnerability that exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. An attacker who successfully exploits this vulnerability can potentially inject code into a trusted PowerShell process to bypass the Device Guard code integrity policy on the local machine. To exploit the vulnerability, an attacker would first have to access the local machine and then inject malicious code into a script that is trusted by the policy. The injected code would then run with the same trust level as the script and bypass the policy.

CVE-2018-8340 is a vulnerability in the Windows Authentication Methods, and enables an Active Directory Federation Services (AD FS) Security Bypass vulnerability. An attacker who successfully exploits this vulnerability could bypass some, but not all, of the authentication factors.

Other vulnerabilities deemed “important” are listed below:

CVE-2018-0952 Diagnostic Hub Standard Collector Elevation Of Privilege Vulnerability

CVE-2018-8204 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability

CVE-2018-8253 Cortana Elevation of Privilege Vulnerability

CVE-2018-8316 Internet Explorer Remote Code Execution Vulnerability

CVE-2018-8339 Windows Installer Elevation of Privilege Vulnerability

CVE-2018-8341 Windows Kernel Information Disclosure Vulnerability

CVE-2018-8342 Windows NDIS Elevation of Privilege Vulnerability

CVE-2018-8343 Windows NDIS Elevation of Privilege Vulnerability

CVE-2018-8346 LNK Remote Code Execution Vulnerability

CVE-2018-8347 Windows Kernel Elevation of Privilege Vulnerability

CVE-2018-8348 Windows Kernel Information Disclosure Vulnerability

CVE-2018-8349 Microsoft COM for Windows Remote Code Execution Vulnerability

CVE-2018-8351 Microsoft Edge Information Disclosure Vulnerability

CVE-2018-8353 Scripting Engine Memory Corruption Vulnerability

CVE-2018-8357 Microsoft Browser Elevation of Privilege Vulnerability

CVE-2018-8358 Microsoft Browser Security Feature Bypass Vulnerability

CVE-2018-8360 .NET Framework Information Disclosure Vulnerability

CVE-2018-8370 Microsoft Edge Information Disclosure Vulnerability

CVE-2018-8375 Microsoft Excel Remote Code Execution Vulnerability

CVE-2018-8376 Microsoft PowerPoint Remote Code Execution Vulnerability

CVE-2018-8378 Microsoft Office Information Disclosure Vulnerability

CVE-2018-8379 Microsoft Excel Remote Code Execution Vulnerability

CVE-2018-8382 Microsoft Excel Information Disclosure Vulnerability

CVE-2018-8383 Microsoft Edge Spoofing Vulnerability

CVE-2018-8389 Scripting Engine Memory Corruption Vulnerability

CVE-2018-8394 Windows GDI Information Disclosure Vulnerability

CVE-2018-8396 Windows GDI Information Disclosure Vulnerability

CVE-2018-8398 Windows GDI Information Disclosure Vulnerability

CVE-2018-8399 Win32k Elevation of Privilege Vulnerability

CVE-2018-8400 DirectX Graphics Kernel Elevation of Privilege Vulnerability

CVE-2018-8401 DirectX Graphics Kernel Elevation of Privilege Vulnerability

CVE-2018-8404 Win32k Elevation of Privilege Vulnerability

CVE-2018-8405 DirectX Graphics Kernel Elevation of Privilege Vulnerability

CVE-2018-8406 DirectX Graphics Kernel Elevation of Privilege Vulnerability

CVE-2018-8412 Microsoft (MAU) Office Elevation of Privilege Vulnerability

CVE-2018-8414 Windows Shell Remote Code Execution Vulnerability

Coverage

In response to these vulnerability disclosures, Talos is releasing the following Snort rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

Snort Rules:

45877-45878, 46548-46549, 46999-47002, 47474-47493, 47495-47496, 47503-47504, 47512-47513, 47515-47520