Patch Tuesday: Microsoft Releases 39 Patches, One Exploited in the Wild

Patch Tuesday: Microsoft Releases 39 Patches, One Exploited in the Wild

A lighter Patch Tuesday this month as Microsoft released just 38 security patches for December, including a fix for a privilege escalation bug that has been reportedly exploited in the wild. A patch for a denial-of-service vulnerability in web applications built with .NET Framework was also released, but is not under active exploit at this time. Of the patches, nine updates are considered critical, and most of those are browser related.  The rest are rated important and should also be prioritized.

“The mix of affected products is fairly standard, with most fixes being browser-related and a handful of Office patches. The most critical this month is server-side: CVE-2018-8626 is an RCE against Windows DNS Server which could allow an unauthenticated attacker to run arbitrary code by issuing a malicious request to the server,” said Greg Wiseman of Rapid7 in a blog post on the releases.

Wiseman said server-related fixes to note this month include two CVEs for SharePoint, as well as patches for Exchange Server 2016 and Microsoft Dynamics NAV.

Here are the highlights from this month’s release with the information you need to prioritize your patching efforts.

Notable Patches

CVE-2018-8611 – Windows Kernel Elevation of Privilege Vulnerability

“The attacker would first have to log on to the system then run a specially crafted application to take control of the affected system,” said Chris Goettl, director of product management, security, for Ivanti about this vulnerability. “This vulnerability exists in all currently supported Windows Operating systems from Windows 7 to Server 2019. Exploitation has been detected on older OSs already, but the Exploitability Index is rated as a 1 for Windows 10 and Server 2019.”

CVE-2018-8517 – .NET Framework Denial Of Service Vulnerability

A denial of service vulnerability exists when .NET Framework improperly handles special web requests, according to the Microsoft bulletin. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET Framework web application. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Framework application.

“The vulnerability is rated as Important likely due to complexity to exploit, but it has been publicly disclosed meaning enough information has been revealed to the public to give a threat actor a head start on creating an exploit to take advantage of the vulnerability. Public disclosures increase the odds a vulnerability will be exploited,” said Goettl about this fix.

Here is a round-up of the critical and important must-install patches by Microsoft product line for December 2018:

 

Microsoft Office

(CVE-2018-8580) — When users are simultaneously logged in to Microsoft SharePoint Server and visit a malicious web page, the attacker can, through standard browser functionality, induce the browser to invoke search queries as the logged in user. While the attacker can’t access the search results or documents as such, the attacker can determine whether the query did return results or not, and thus by issuing targeted queries discover facts about documents that are searchable for the logged-in user.

(CVE-2018-8587) — A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user.

(CVE-2018-8597) — A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights

(CVE-2018-8598) — An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory. An attacker who exploited the vulnerability could use the information to compromise the user’s computer or data.

(CVE-2018-8627) — An information disclosure vulnerability exists when Microsoft Excel software reads out of bound memory due to an uninitialized variable, which could disclose the contents of memory. An attacker who successfully exploited the vulnerability could view out of bound memory.

(CVE-2018-8628) — A remote code execution vulnerability exists in Microsoft PowerPoint software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.

(CVE-2018-8635) — An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted authentication request to an affected SharePoint server. An attacker who successfully exploited this vulnerability could execute malicious code on a vulnerable server in the context of the SharePoint application pool account.

(CVE-2018-8636) — A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.

(CVE-2018-8650) — A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server.

Microsoft Windows Kernel

(CVE-2018-8477) — An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system.

(CVE-2018-8611) — An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

(CVE-2018-8621) — An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system.

(CVE-2018-8622) — An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system.

(CVE-2018-8637) — An information disclosure vulnerability exists in Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (KASLR) bypass. An attacker who successfully exploited this vulnerability could retrieve the memory address of a kernel object.

(CVE-2018-8639) — An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

(CVE-2018-8641) — An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

Microsoft Windows

(CVE-2018-8626) — A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.

(CVE-2018-8634) — A remote code execution vulnerability exists in Windows where Microsoft text-to-speech fails to properly handle objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

(CVE-2018-8514) — An information disclosure vulnerability exists when Remote Procedure Call runtime improperly initializes objects in memory.

(CVE-2018-8595) — An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

(CVE-2018-8596) — An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

(CVE-2018-8599) — An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly impersonates certain file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges.

(CVE-2018-8612) — A Denial Of Service vulnerability exists when Connected User Experiences and Telemetry Service fails to validate certain function values. An attacker who successfully exploited this vulnerability could deny dependent security feature functionality.

(CVE-2018-8638) — An information disclosure vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system.

(CVE-2018-8649) — A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding.

Microsoft .NET Framework 

(CVE-2018-8540) — A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly.

(CVE-2018-8517) — A denial of service vulnerability exists when .NET Framework improperly handles special web requests.

Microsoft Exchange Server

(CVE-2018-8604) — A tampering vulnerability exists when Microsoft Exchange Server fails to properly handle profile data. An attacker who successfully exploited this vulnerability could modify a targeted user’s profile data.

Microsoft Windows Azure Pack

(CVE-2018-8652) — A Cross-site Scripting (XSS) vulnerability exists when Windows Azure Pack does not properly sanitize user-provided input. An authenticated attacker could exploit the vulnerability by sending a specially crafted payload to the web interface, which will get executed in the context of the user every time a user visits the compromised page.

Microsoft Dynamics NAV

(CVE-2018-8651) — ACross-site Scripting (XSS) vulnerability exists when Microsoft Dynamics NAV does not properly sanitize a specially crafted web request to an affected Dynamics NAV server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected Dynamics NAV server.

You can find all of the updates at the Microsoft portal.

Ask @WinObs: Where Can I Track Updates for Windows 10?

Q. Where Can I Track Updates for Windows 10?

A. There has been a lot of talk over the last several weeks about various updates for Windows 10. If you want to keep an eye on these updates it is easy to do because Microsoft documents them all as they are released.

Most everyone knows about Patch Tuesday, but as Microsoft recently detailed in on the official Windows Blog, there are multiple update categories which they use to organize the patches they push out for Windows 10 each month.

Here is a quick rundown of those categories according to Microsoft:

B Release –- This is the well know Patch Tuesday updates which are released on the second Tuesday of each month. These updates are cumulative, so they contain not only new security-related patches, but the ones released in previous months as well. Using the cumulative update process means less fragmentation between Windows 10 devices because of some patches not being previously installed. Typical release time is at 10:00 Am Pacific time – Microsoft’s time zone at their headquarters in Redmond, Washington.

C and D Releases –- These patches are previews of upcoming non-security fixes for Windows 10.  Primarily these previews are intended for commercial customers for testing however, advanced users can seek them out by going to Windows Update and checking for updates. These preview updates are not distributed to devices using automatic update settings.

On-Demand Releases –- These are sometimes referred to as out of cycle updates and are usually issued to address an issue is urgent and can not wait until the next scheduled B Release aka Patch Tuesday. They either address a security vulnerability or a quality/performance related issue which impacts multiple devices.

As you might have noticed, the letter of the release corresponds with the week of the month.

B = Second Week
C= Third Week
D = Fourth Week

Note: Other Microsoft software follows a similar schedule as the Windows 10 one noted above.

Windows 10 Update History

As you might imagine, over time the list of updates for Windows 10 can get quite large but Microsoft has created a centralized web page to see everything that has been issued for the OS.

The list is broken down chronologically for each major feature update for Windows 10. It lists all of the updates back to the original Windows 10 release back in July 2015.

Windows 10 Update History Page

By clicking on the feature update entries in the left-hand sidebar, you can see the full list of patches and other updates for that version of Windows 10.

A new feature that has recently been added for transparency, primarily due to the rough release of the October 2018 Update for Windows 10, is the list of known issues/current status about that feature update on the main update page.

Each individual patch is published with an associated Microsoft Knowledge Base article and that list of articles are linked under the In this release header of the left-hand sidebar. By clicking on those individual entries, you can see what was included in the patch:

• Improvements and fixes
• Known issues
• How to get this update

If you prefer to hold off on grabbing updates for Windows 10 on day 1 of their release, then this page is going to be a useful resource. You can come here after each update cycle, read about the updates and any known issues before deciding to move forward with the patches.

Of course, there is a balance when it comes to installing updates and managing the potential risk that can come about either due to the update itself or the vulnerability/issue it is fixing. Bottom line is to have a plan for your approach and make smart decisions that help you meet your security and system integrity goals.