Exploits & Vulnerabilities
February Patch Tuesday Fixes Privilege Escalation Bugs
Microsoft’s Patch Tuesday has fixes addressing 50 security issues in Windows, Office, SharePoint, Internet Explorer, Edge, and ChakraCore JavaScript engine, as well as additional patches for the notorious Meltdown and Spectre vulnerabilities.
Microsoft’s Patch Tuesday for February has a bevy of fixes addressing 50 security issues in Windows, Office (including Office Services and Web Apps), SharePoint, Internet Explorer, Edge, and ChakraCore JavaScript engine, as well as additional patches for the notorious Meltdown and Spectre vulnerabilities. Of these, 14 were rated critical. Eight of these security flaws were disclosed through Trend Micro’s Zero Day Initiative.
A fix for the previous zero-day vulnerability in Adobe Flash (CVE-2018-4878) was also included in the rollout of patches but was in fact silently pushed out last week.
Majority of the vulnerabilities are related to elevation of privileges. When exploited successfully, these can allow hackers to carry out normally restricted and system-level functions or hijack the affected systems. There are also 11 security issues affecting the Windows kernel that can lead to local privilege escalation and information disclosure when exploited.
Of note are three vulnerabilities:
- CVE-2018-0852: A memory corruption vulnerability in Microsoft Outlook that, when exploited successfully, can let attackers run arbitrary code. What’s notable with this flaw is that Outlook’s Preview Pane can become an attack vector — the would-be victim need only receive a preconfigured message for malicious code to run. If logged on with administrative rights, it can enable hackers to hijack the system, such as installing programs, viewing, altering or deleting data, or creating privileged user accounts. The malicious file can also be hosted on an attacker-owned or compromised website, in which case the hacker would have to trick users into clicking a link that will divert victims to the site.
- CVE-2018-0850: A privilege escalation flaw in Microsoft Outlook. The vulnerability can be exploited through an especially crafted email designed to force Outlook to load local or remote messages over Server Message Block (SMB).
- CVE-2018-0771: A security feature bypass vulnerability in Microsoft Edge. When exploited successfully, Microsoft Edge will be able to circumvent Same-Origin Policy (SOP) restrictions, which prevent a website’s scripts (i.e., JavaScript, Ajax) from accessing sensitive data from and interacting with other scripts used on other websites.
Adobe also rolled out its own patches (APSB18-02), addressing security issues in Acrobat Reader and Experience Manager on both Windows and Mac platforms. Of the vulnerabilities listed in Adobe’s bulletin — most of which can lead to remote code execution — 26 were disclosed via Trend Micro’s Zero Day Initiative.
Trend Micro™ Deep Security protects user systems from threats that may target the aforementioned vulnerabilities via the following DPI rules:
- 1008866 - Microsoft Windows StructuredQuery Remote Code Execution Vulnerability (CVE-2018-0825)
- 1008874 - Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2018-0860)
- 1008871 - Microsoft Internet Explorer And Edge Scripting Engine Memory Corruption Vulnerability (CVE-2018-0840)
- 1008877 - Microsoft Windows Multiple Security Vulnerabilities (Feb-2018)
- 1008867 - Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2018-0834)
- 1008870 - Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2018-0838)
- 1008872 - Microsoft Office Remote Code Execution Vulnerability (CVE-2018-0841)
- 1008869 - Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2018-0837)
- 1008868 - Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2018-0835)
- 1008873 - Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2018-0858)
- 1008881 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2018-0866)
Trend Micro™ TippingPoint™ customers are protected from threats that may exploit the vulnerabilities via these MainlineDV filters:
- 30331: HTTP: Microsoft Edge prototype Use-After-Free Vulnerability
- 30334: HTTP: Microsoft Windows win32k Use-After-Free Vulnerability
- 30336: HTTP: Microsoft Windows win32kbase Use-After-Free Vulnerability
- 30341: HTTP: Microsoft Windows LNK Memory Corruption Vulnerability
- 30342: HTTP: Microsoft Edge prototype defineGetter Use-After-Free Vulnerability
- 30345: HTTP: Microsoft Chakra Javascript __proto__ JIT Optimization Type Confusion Vulnerability
- 30349: HTTP: Microsoft Chakra JavaScript Array sort JIT Optimization Type Confusion Vulnerability
- 30351: HTTP: Microsoft Chakra JavaScript this JIT Optimization Type Confusion Vulnerability
- 30362: HTTP: Microsoft Edge JIT Optimization Type Confusion Vulnerability
- 30365: HTTP: Microsoft Chakra JavaScript Array Type Confusion Vulnerability
- 30366: HTTP: Microsoft Windows clfs.sys BLF Privilege Escalation Vulnerability
- 30367: HTTP: Microsoft HID Parsing Library Out-of-Bounds Vulnerability
- 30368: HTTP: Microsoft Windows clfs.sys BLF Privilege Escalation Vulnerability
- 30388: HTTP: Microsoft Excel XLS Parsing Type Confusion Vulnerability
- 30410: HTTP: Microsoft Internet Explorer localeCompare Use-After-Free Vulnerability
- 30366: HTTP: Microsoft Windows clfs.sys BLF Privilege Escalation Vulnerability