Patch Tuesday: Exploits Likely on Vulnerabilities This Month

Patch Tuesday: Exploits Likely on Vulnerabilities This Month

Microsoft released 61 security patches for September, including 17 listed as Critical. Several flaws were publicly disclosed before the release and one is already being actively exploited in the wild.

The patches and advisories cover Internet Explorer (IE), Edge, ChakraCore, Azure, Hyper-V, Windows components, .NET Framework, SQL Server, and Microsoft Office and Office Services. You can find all of the updates at the Microsoft portal.

Here are the highlights from this month’s release, with the information you need to prioritize your patching efforts.

CVE-2018-8440 – Windows ALPC Elevation of Privilege Vulnerability

The patch to prioritize this month is CVE-2018-8440, a local privilege escalation vulnerability that arises when Windows incorrectly handles calls to the Advanced Local Procedure Call (ALPC) interface. The flaw was first made public last month via a tweet (which was later deleted) and attackers are already taking advantage of it.

At the time it was disclosed, Will Dormann, a Vulnerability Analyst at the CERT/CC noted “I’ve confirmed that this works well in a fully-patched 64-bit Windows 10 system.”

Don’t delay in getting CVE-2018-8440 rolled out.

CVE-2018-8475 – Windows Remote Code Execution Vulnerability

Analysts this month also say CVE-2018-8475 is urgent. This bulletin addresses a remote code execution vulnerability that exists when Windows does not properly handle specially crafted image files. An attacker who successfully exploited the vulnerability could execute arbitrary code – and all it takes to exploit it is for an attacker to convince a user to download an image file.

“That’s all the user interaction needed. Open the wrong image – even through a web browser – and code executes, making this a browse-and-own scenario,” said Dustin Childs of Trend Micro Zero Day Initiative in a blog post. “Microsoft provides no information on where this is public, but given the severity of the issue and the relative ease of exploitation, expect this one to find its way into exploit kits quickly.”

CVE-2018-8457 – Scripting Engine Memory Corruption Vulnerability

Microsoft has rated this as a 1 on its Exploitability Index, meaning exploitation is more likely, so get this deployed soon.  According to the bulletin, CVE-2018-8457 is a Memory Corruption Vulnerability in Microsoft’s Scripting Engine. An attacker could corrupt memory in such a way that they could execute arbitrary code in the context of the current user. The attacker would gain equal rights to the user context they exploit. Least Privilege will mitigate the impact if this vulnerability is successfully exploited. There are several scenarios in which this vulnerability could be exploited, including web-based attack scenarios where specially created websites could host malicious content, as an embed in an ActiveX control marked “safe for initialization” within an application or Office document.

CVE-2018-0965, CVE-2018-8439 – Windows Hyper-V Remote Code Execution Vulnerabilities

Both of these CVEs have the same exploit scenario and impact, noted Childs.

“For both cases, a user on a guest virtual machine could execute code on the underlying hypervisor OS. The root cause for both of these bugs goes back to the failure to properly validate user input. Although titled as “remote code execution,” these bugs require an attacker to execute code on the guest OS. If an attacker (or malware) does have the ability to run programs, their code executes on the hypervisor – potentially impacting other guest OSes.”

CVE-2018-8449 – Device Guard Security Feature Bypass Vulnerability
A security feature bypass exists when Device Guard incorrectly validates an untrusted file, noted the bulletin. An attacker who successfully exploited this vulnerability could make an unsigned file appear to be signed. Because Device Guard relies on the signature to determine the file is non-malicious, Device Guard could then allow a malicious file to execute. In an attack scenario, an attacker could make an untrusted file appear to be a trusted file. The update addresses the vulnerability by correcting how Device Guard handles untrusted files.

“Expect this bug to show up in future exploits,” said Childs.

Here are the additional critical, must-install patches by product:

Browsers: CVE-2018-8367, CVE-2018-8391,CVE-2018-8447, CVE-2018-8456, CVE-2018-8457, CVE-2018-8459, CVE-2018-8461, CVE-2018-8464, CVE-2018-8465, CVE-2018-8466, CVE-2018-8467

Windows Hyper-V: CVE-2018-0965,  CVE-2018-8439  

Microsoft Windows: CVE-2018-8332, CVE-2018-8420, CVE-2018-8475

Microsoft .NET Framework: CVE-2018-8421

 

Ask @WinObs: Is Windows 10 Blocking All Non-Edge Browsers?

Q. Is Microsoft really blocking the install of Chrome and other browsers on Windows 10?

A. The answer is a Yes & No situation, so let me explain.

Earlier this week, Windows Insiders who are testing Skip Ahead builds for the next feature update of Windows 10 – codenamed 19H1 – saw a new pop-up alert when trying to install an alternative browser on their systems.

Here is what that alert looked like:

This was showing up on these test systems when the user went to the Chrome or Firefox websites and downloaded the browser installers. Microsoft then detected the install process and prompts the user with this dialog box thereby temporarily interrupting the activity.

As you can see, there are three choices available:

• Keep using Microsoft Edge and abandon the Chrome install
• Go ahead with the Chrome installation
• Turn off this warning in the future in Windows Settings

News of this started to spread across social media quickly and was posted on multiple tech news sites. The reactions, as you might imagine, were fast and furious plus they came from both ends of the spectrum.

Some believed this was a step too far and just a continuation of Microsoft’s invasion of the Windows 10 operating system to display suggestions/ads for apps and services in multiple locations throughout the OS.

Others reacted that all is fair in love and the browser wars because Google pings Edge users when they access Google properties such as Google Docs, YouTube and Gmail.

Note: it is interesting, however, that Google does not suggest Chrome to Firefox users accessing the same Google services as an Edge user. Look at the example below.

Microsoft Edge on top; Mozilla Firefox on the bottom – both accessing Gmail

While we are on this subject – Microsoft Edge will do the same thing when you access a Microsoft site using Chrome, but they also provide that same prompt, shown below, to Firefox users.

Microsoft Edge prompting a Chrome user to consider Edge when accessing the Microsoft Account website

Anyway, as you can see the browser wars are far from over as Ed Bott put it in his coverage of this situation over on ZDNet.

Getting back this prompt, Microsoft has since released a statement about why it suddenly appeared on Windows Insider systems:

“We’ve tested this functionality with Insiders only – The Windows Insider Program enables Microsoft to test different features, functionality and garner feedback before rolling out broadly. Customers remain in control and can choose the browser of their choice.”

Microsoft has tested a lot of features in various iterations of pre-release Windows 10 builds. They make it a point that until a build is released as a new feature update, no feature or functionality is guaranteed to make the final build. We have seen this happen with big enhancements like Sets and smaller changes on multiple occasions.

Don’t get me wrong, the coverage of this new prompt when a user is installing Chrome or Firefox on Windows 10 is appropriate and is a big form of feedback the company received about this option. In fact, the feedback was so swift that they have already removed it from the latest Windows Insider builds.

Will it appear again in a future series of development builds for a Windows 10 feature update? No, it will not if anyone back in Redmond is paying attention to the reaction this testing garnered. However, when we first began seeing suggestions for apps throughout Windows 10 during past development cycles there were similar episodes of intense feedback from Windows Insiders, but they are still present in the OS in the latest production builds. They do at least have an off switch that advanced users will easily figure out and switch off.

Peter Bright over at Ars Technica, made two solid observations about the reaction to this situation:

“…these companies are going to continue to do this kind of thing because, guess what, it works. Sometimes people will subscribe to YouTube Red. Sometimes they’ll think, “OK, I’ll give Edge a shot and see if I like it.” Sometimes they’ll be inspired to try Chrome. These companies wouldn’t risk the annoyance factor if it didn’t pay off. But it does. These companies love nothing more than collecting usage data; you can bet that they’re only doing this because they’re seeing an upside to it.”

He followed that with this:

“It’s not even surprising that these things work. That’s because for a lot of people these promotions are actually telling them something they don’t know. They don’t know that the blue “e” is no longer the reviled Internet Explorer of old, the one that they know they shouldn’t use because their much more knowledgeable family member told them not to use it. They don’t know that YouTube has subscription services that kill the ads and add extra features. Some of them might not even know that the blue “e” isn’t, in fact, the only way to get on the Internet—they might not know that Chrome or Firefox exist. What knowledgeable users see as annoying nagging is, for other users, fresh and new information.”

He perfectly encompasses the reaction to this entire episode in those two paragraphs.

I have said on many occasions, that advanced users of technology are not the target audience for these prompts. Mandatory Windows Updates in Windows 10 are not for us – it is for the everyday user of the OS.

The process of discovery is a balance between self-promotion and helping to educate users – it is also a very emotional for many as the last couple of days have shown us.

The TLDR answer to the original question of whether Microsoft is blocking the install of alternate browsers on Windows 10 is no, they are not. Even when this setting was turned on – the user still had a choice to install their browser of choice.

However, to reiterate what my friend Ed Bott wrote – the browser wars are far from over.