Are Any Other Features Being Removed From the Windows 10 April 2018 Update?

Microsoft May Patch Tuesday Fixes Two Holes Under Active Attack

Two zero-day exploits need attention now, say analysts.

Microsoft patched 68 vulnerabilities in its monthly Patch Tuesday release, including two zero-day exploits. Of the patches 21 are listed as critical, 45 rated important and two listed low in severity. Updates this month affect several products including Microsoft Windows, Internet Explorer, Edge, Office and Exchange Server.

Obviously, the priority for deploying is for those are those under active attack. That includes are CVE-2018-8174, a Windows VBScript Engine Remote Code Execution Vulnerability. The flaw was discovered and reported by Kaspersky Lab researchers and impacts IE and other projects that embed the IE web rendering engine.

“This technique, until fixed, allowed criminals to force Internet Explorer to load, no matter which browser one normally used — further increasing an already huge attack surface,” according to Anton Ivanov, security researcher at Kaspersky, in an email to Ars Technica. “We urge organizations and private users to install recent patches immediately, as it won’t be long before exploits to this vulnerability make it to popular exploit kits and will be used not only by sophisticated threat actors but also by standard cybercriminals.”

The other bug to prioritize is CVE-2018-8120, a vulnerability in older Windows OS versions (Windows 7, Server 2008, Server 2008 R2) that has been detected in exploits in the wild, according to Chris Goettl in his monthly post for Ivanti.

“At that point the attacker would have full permissions to install or remove programs, add users, view, change, or delete data. This type of vulnerability is how a threat actor would elevate their privileges to gain full access to a system they have gained access to,” says Goettl.

Security analysts recommend you install the two zero-day patches immediately. Here is a breakdown of the other notable updates this month by product. Please keep in mind these are highlights from the updates, and you should check out the entire catalog for a full list that of what could impact your systems.

Internet Explorer

As mentioned above, CVE-2018-8126 addresses a security feature bypass vulnerability exists when Internet Explorer fails to validate User Mode Code Integrity (UMCI) policies. The vulnerability could allow an attacker to bypass Device Guard UMCI policies.

To exploit the vulnerability, a user could either visit a malicious website or an attacker with access to the system could run a specially crafted application. An attacker could then leverage the vulnerability to run unsigned malicious code as though it were signed by a trusted source.

The update addresses the vulnerability by correcting how Internet Explorer validates UMCI policies.

Browsers

Other browser updates this month include CVE-2018-8178, which addresses a browser memory corruption vulnerability. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2018-1025 addresses browser information disclosure vulnerability. Microsoft says

the vulnerability exists when affected Microsoft browsers improperly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system.

Edge

CVE-2018-8179 is a remote code execution vulnerability that exists when Microsoft Edge improperly accesses objects in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

CVE-2018-8128 is a remote code execution vulnerability that exists in the way that the scripting engine handles objects in memory in Microsoft Edge. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

CVE-2018-813 is a  remote code execution vulnerability that exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

Office

CVE-2018-8157 is a  remote code execution vulnerability that exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.

CVE-2018-8158 is a remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.

Exchange Server

CVE-2018-8151 is an information disclosure vulnerability that exists when Microsoft Exchange improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the remote system.

CVE-2018-8152 is a privilege escalation vulnerability that exists when Microsoft Exchange Outlook Web Access (OWA) fails to properly handle web requests.

Windows

CVE-2018-0824 is a remote code execution vulnerability that exists in Microsoft COM for Windows when it fails to properly handle serialized objects. An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions.

CVE-2018-0854 is a security bypass vulnerability that exists in Windows Scripting Host which could allow an attacker to bypass Device Guard. An attacker who successfully exploited this vulnerability could circumvent a User Mode Code Integrity (UMCI) policy on the machine.

CVE-2018-0958 is a security bypass vulnerability that exists in Windows which could allow an attacker to bypass Device Guard. An attacker who successfully exploited this vulnerability could circumvent a User Mode Code Integrity (UMCI) policy on the machine

Hyper-V

CVE-2018-095 is a remote code execution vulnerability that exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system.

CVE-2018-0961 is a remote code execution vulnerability that exists when Windows Hyper-V on a host server fails to properly validate vSMB packet data. An attacker who successfully exploited these vulnerabilities could execute arbitrary code on a target operating system.

Ask @WinObs: Are Any Other Features Being Removed From the Windows 10 April 2018 Update?

I recently shared details about the retirement of HomeGroup from the Windows 10 April 2018 Update. This feature update was made available for download last week; as of this month’s Patch Tuesday, the update is now beginning its rollout through Windows Update.

Microsoft had given users a heads up about the removal of HomeGroup from this fifth feature update for Windows 10 which is why we knew that was coming.

When they began the availability of the update to the public last week that triggered the publication of the complete list of features that were either removed or planned for removal/replacement in this update.

On the page listing these changes for the feature update there is a caveat from Microsoft which states:

This list is subject to change and might not include every affected feature or functionality

In other words, this list might or might not be complete. It also might change at some point. Based on my past experience with these things, I can say that the list rarely changes.

Let’s run down this list. We begin with items that have been removed:

• Groove Music Pass: Microsoft canceled this feature late last year and handed the reigns over to Spotify.
• People: Unsaved contacts for non-Microsoft Accounts will no longer be suggested. You must manually save these contacts to send/receive email.
• Language Control: This is now in the Settings app as it has been removed from the legacy Control Panel.
• Connect to Suggested Hotspots: This was initially disabled on Windows 10 because the service was no longer available. The setting for this was still in Wi-Fi settings in Windows 10 Version 1709 and earlier but as of The April 2018 Update, the setting is now completely removed.
• Conversations in People App: These will still show up with Office 365 contacts however, you now need to be online and signed in with your Office 365 account in the Mail, People, or Calendar apps.
• XPS Viewer: This viewer was part of a Windows 10 install in earlier versions. If you had it installed when you upgrade to 1803 then it will still be there. If you are performing a clean install with 1803 then you will need to manually install the viewer. That option will be available under Apps and Features in the Settings app or Features on Demand.

Each feature update of Windows 10 also includes features that Microsoft has decided to stop developing. Typically, they are not immediately removed from Windows 10 however, they could be removed in a future update. In many cases, these features might have been replaced with other features or functionality.

Here is that list of features that Microsoft has decided to stop developing:

• Software Restrictions Policies: No longer available through Group Policy but you can use AppLocker or Windows Defender Application Control.
• Offline Symbol Packages: This package will not be available as an MSI download as it has moved to an Azure-based symbol store. The symbols are available through the Microsoft Symbol Server for local caching. An alternative method would be using SymChk.exe in a manifest file on an Internet-connected device.
• Windows Help Viewer: Microsoft has migrated all of their help files online, so this viewer will no longer be supported.
• Contacts in File Explorer: The Windows Contacts API is no longer being developed. Use the People App in Windows 10 as a replacement.
• Phone Companion: This has been replaced by the Phone page in Settings. On this page, present since 1709, you can add your phone number to sync notifications and messages to your Windows 10 device.

It is very early stages of the Windows 10 April 2018 Update rollout but over the next few months, we should hear more about how the above changes are impacting users.