Exploits & Vulnerabilities
Microsoft’s May Patch Tuesday Fixes Exploited Bugs
For May 2018, Microsoft’s monthly release of security updates — also known as Patch Tuesday — addressed a number of vulnerabilities, most notably two vulnerabilities that were already actively exploited in attacks.
For May 2018, Microsoft’s monthly release of security updates — also known as Patch Tuesday — addressed a number of vulnerabilities, most notably two vulnerabilities that were already actively exploited in attacks.
One of these vulnerabilities is CVE-2018-8174, which is a remote code execution flaw in the way the VBScript engine handles objects in memory. Exploiting this vulnerability results in a system memory corruption that could potentially allow an attacker to gain administrative rights via arbitrary code execution. The attacker can then manipulate the system for malicious purposes. Trend Micro’s Zero Day Initiative (ZDI) also noted that the vulnerability bears similarities to CVE-2018-1004, which was patched during the last update. There have also been reported attacks exploiting this vulnerability by threat actors.
The second vulnerability, CVE-2018-8120, is an elevation of privilege vulnerability that exists in Windows when the Win32k component fails to handle objects in memory properly. An attacker who successfully exploits this vulnerability can run arbitrary code in kernel mode to install programs, manipulate data, or even create new accounts with full user rights in the user’s system. Although there have been reports that the malware is actively being exploited, there is no information as of yet on the impact of the exploitation.
Other notable vulnerabilities addressed in this round of updates include the Hyper-V Remote Code Execution vulnerability CVE-2018-0959 and the Hyper-V vSMB Remote Code Execution vulnerability CVE-2018-0961. While the cause of the bugs is different for the two vulnerabilities, both could allow an attacker using a guest operating system (OS) to elevate privileges and execute code via a specially crafted program running on the guest OS.
This month’s Patch Tuesday includes eleven vulnerabilities disclosed via Trend Micro’s ZDI:
- CVE-2018-1021
- CVE-2018-1025
- CVE-2018-8112
- CVE-2018-8123
- CVE-2018-8124
- CVE-2018-8157
- CVE-2018-8162
- CVE-2018-8163
- CVE-2018-8164
- CVE-2018-8165
- CVE-2018-8179
Alongside, Adobe also released their own set of security updates, which include:
- APSB18-12: An update that addresses a vulnerability in the validation of certificates used by Creative Cloud desktop applications (CVE-2018-4991), and an improper input validation vulnerability (CVE-2018-4992) that could lead to privilege escalation
- APSB18-16: An update that addresses critical vulnerabilities in Adobe Flash Player 29.0.0.140 and earlier versions
- APSB18-18:An update for Adobe Connect that addresses the authentication bypass vulnerability CVE-2018-499
Trend Micro™ Deep Security and Vulnerability Protection protect user systems from any threats that may target the vulnerabilities mentioned above via the following DPI rules:
- 1009058 - Detected Server Message Block (SMB) Outgoing Request
- 1009067 - Microsoft Windows VBScript Engine Remote Code Execution Vulnerability (CVE-2018-8174)
- 1009068 - Microsoft Edge Memory Corruption Vulnerability (CVE-2018-8179)
- 1009072 - Microsoft Office Remote Code Execution Vulnerability (CVE-2018-8158)
- 1009073 - Microsoft Office Remote Code Execution Vulnerability (CVE-2018-8157)
- 1009075 - Microsoft Excel Multiple Remote Code Execution Vulnerabilities (May-2018)
- 1009076 - Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2018-8133)
- 1009078 - Microsoft Edge Memory Corruption Vulnerability (CVE-2018-8123)
- 1009079 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2018-8122)
- 1009081 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2018-8114)
- 1009082 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2018-0955)
- 1009083 - Microsoft Internet Explorer And Edge Scripting Engine Memory Corruption Vulnerability (CVE-2018-0954)
- 1009084 - Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2018-0953)
- 1009085 - Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2018-0951)
- 1009086 - Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2018-0946)
- 1009088 - Microsoft Windows Multiple Elevation Of Privilege Vulnerabilities (May 2018)
- 1009094 - Microsoft Edge Out Of Bounds Read Vulnerability (CVE-2018-8137)
- 1009176 - Microsoft Internet Explorer And Edge Information Disclosure Vulnerability (CVE-2018-1025)
Trend Micro™ TippingPoint™ customers are protected from threats that may exploit the vulnerabilities via these MainlineDV filters:
- 31487: HTTP: Microsoft Edge Scripting Engine AppendChild Memory Corruption Vulnerability
- 31488: HTTP: Microsoft Edge Chakra Scripting Engine Proxy Memory Corruption Vulnerability
- 31489: HTTP: Microsoft Edge Scripting Engine Magic Value Memory Corruption Vulnerability
- 31490: HTTP: Microsoft Edge Scripting Engine DefineGetter Memory Corruption Vulnerability
- 31491: HTTP: Microsoft Internet Explorer Prototype Memory Corruption Vulnerability
- 31492: HTTP: Microsoft Internet Explorer __proto__ Memory Corruption Vulnerability
- 31493: HTTP: Microsoft Windows VBScript Engine Class_Terminate Use-after-Free Vulnerability
- 31494: HTTP: Microsoft Edge Scripting Engine Window Event Memory Corruption Vulnerability
- 31498: HTTP: Microsoft Edge RTCIceTransport Use-After-Free Vulnerability
- 31552: HTTP: Microsoft Edge CSS Use-After-Free Vulnerability
- 31554: HTTP: Microsoft Excel Use-After-Free Vulnerability
- 31555: HTTP: Microsoft Excel Use-After-Free Vulnerability
- 31556: HTTP: Microsoft Office Buffer Overflow Vulnerability
- 31557: HTTP: Microsoft Office Buffer Overflow Vulnerability
- 31558: HTTP: Microsoft Win32k Use-After-Free Vulnerability
- 31559: HTTP: Microsoft Excel Memory Corruption Vulnerability
- 31560: HTTP: Microsoft Windows CLFS Memory Corruption Vulnerability
- 31561: HTTP: Microsoft Windows Memory Corruption Vulnerability
- 31562: HTTP: Microsoft Win32k Elevation of Privilege Vulnerability
- 31563: HTTP: Microsoft Internet Explorer RegExp Replace Use-after-Free Vulnerability
- 31571: HTTP: Microsoft DirectX Graphics Kernel Integer Overflow Vulnerability
- 31572: HTTP: Microsoft Windows Memory Corruption Vulnerability
- 31573: HTTP: Microsoft Outlook Use-After-Free Vulnerability