This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
The first of these zero day vulnerabilities is CVE-2018-8373, a use-after-free (UAF) vulnerability in VBscript engine that Trend Micro researchers found in Internet Explorer. This vulnerability bears many similarities to CVE-2018-8174, another VBscript engine vulnerability that was patched back in May. Successful exploitation of this vulnerability could allow attackers to remotely gain administrative rights over the target system. While this vulnerability is specific to Internet Explorer, it is important to take note that IE 11 is not affected since Microsoft disabled VBScript by default in Windows 10 Redstone 3, released in October 2017.
The second zero-day vulnerability patched this month is CVE-2018-8414, a Windows Shell remote code execution vulnerability that exists due to improper validation of a system’s file paths. This vulnerability is a double whammy, as it also affects Adobe Acrobat by permitting the embedding of certain file types in its reader. Adobe also addressed the vulnerability on their end by blocking the embedding of these file types in Acrobat.
Given that these are already actively being exploited, we recommend that users prioritize patching their computers with the latest updates to prevent any possible malicious exploitation involving these vulnerabilities.
In addition to CVE-2018-8373, twelve other vulnerabilities were disclosed via Trend Micro’s Zero Day Initiative (ZDI):
- CVE-2018-8302
- CVE-2018-8316
- CVE-2018-8344
- CVE-2018-8345
- CVE-2018-8346
- CVE-2018-8371
- CVE-2018-8394
- CVE-2018-8400
- CVE-2018-8401
- CVE-2018-8404
- CVE-2018-8405
- CVE-2018-8406
As is commonly the case, Adobe also released their own set of updates, which includes fixes for Flash Player and the aforementioned Acrobat issue:
APSB18-20: An update that addresses an insecure library loading vulnerability in the Creative Cloud Desktop Application installer that could eventually lead to the attacker gaining certain privileges.
APSB18-25: A series of updates that addresses vulnerabilities for Adobe Flash Player 30.0.0.134 and its earlier versions in which successful exploitation could allow an attacker the ability to perform arbitrary code execution.
APSB18-26: A series of updates that resolve cross-site scripting vulnerabilities in Adobe Experience Manager could result in sensitive information disclosure and unauthorized information modification.
APSB18-29: A series of updates that fixes critical vulnerabilities in Adobe Acrobat and Reader for Microsoft Windows and Apple MacOS that could lead to arbitrary code execution. One of the vulnerabilities (CVE-2018-12799) addressed in this patch was disclosed via Trend Micro's Zero Day Initiative
Trend Micro™ Deep Security and Vulnerability Protection protect user systems from any threats that may target the vulnerabilities addressed in this month’s round of updates via the following DPI rules:
- 1009053-Microsoft Edge Information Disclosure Vulnerability (CVE-2018-0763)
- 1009106-Adobe Acrobat and Reader Out Of Bounds Write Vulnerability (CVE-2017-16407)
- 1009166-Adobe Acrobat and Reader Heap Overflow Vulnerability (CVE-2018-4982)
- 1009217-Microsoft Edge Information Disclosure Vulnerability (CVE-2018-1021)
- 1009240-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8266)
- 1009241-Microsoft Graphics Remote Code Execution Vulnerability (CVE-2018-8344)
- 1009242-Microsoft Windows LNK Remote Code Execution Vulnerability (CVE-2018-8345)
- 1009243-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2018-8353)
- 1009244-Microsoft Internet Explorer And Edge Scripting Engine Memory Corruption Vulnerability (CVE-2018-8355)
- 1009245-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2018-8371)
- 1009246-Microsoft Internet Explorer And Edge Scripting Engine Memory Corruption Vulnerability (CVE-2018-8372)
- 1009247-Microsoft PowerPoint Remote Code Execution Vulnerability (CVE-2018-8376)
- 1009248-Microsoft Excel Remote Code Execution Vulnerability (CVE-2018-8379)
- 1009249-Microsoft Edge Spoofing Vulnerability (CVE-2018-8383)
- 1009250-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8384)
- 1009251-Microsoft Edge Memory Corruption Vulnerability (CVE-2018-8387)
- 1009252-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2018-8389)
- 1009253-Microsoft Windows DirectX Graphics Kernel Elevation Of Privilege Vulnerability (CVE-2018-8401)
- 1009254-Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2018-8403)
- 1009255-Microsoft Windows Win32k Elevation Of Privilege Vulnerability (CVE-2018-8404)
- 1009256-Microsoft Windows DirectX Graphics Kernel Elevation Of Privilege Vulnerability (CVE-2018-8405)
- 1009257-Microsoft Windows DirectX Graphics Kernel Elevation Of Privilege Vulnerability (CVE-2018-8406)
Trend Micro™ TippingPoint™ customers are protected from threats that may exploit this month’s list of vulnerabilities via these MainlineDV filters:
- 32829: HTTP: Microsoft Windows Integer Overflow Vulnerability
- 32830: HTTP: Microsoft Windows Memory Corruption Vulnerability
- 32831: HTTP: Microsoft Edge Type Confusion Vulnerability
- 32832: HTTP: Microsoft Internet Explorer Use-After-Free Vulnerability
- 32833: HTTP: Microsoft Edge Memory Corruption Vulnerability
- 32834: HTTP: Microsoft PowerPoint Type Confusion Vulnerability
- 32835: HTTP: Microsoft Excel Memory Corruption Vulnerability
- 32836: HTTP: Microsoft Edge Address Bar Spoofing Vulnerability
- 32837: HTTP: Microsoft Edge Type Confusion Vulnerability
- 32838: HTTP: Microsoft Edge Memory Corruption Vulnerability
- 32839: HTTP: Microsoft Internet Explorer jscript.dll Memory Corruption Vulnerability
- 32840: HTTP: Microsoft BasicRender Window Driver Memory Corruption Vulnerability
- 32842: HTTP: Microsoft Edge Memory Corruption Vulnerability
- 32843: HTTP: Microsoft Windows dxgmms1 Driver Type Confusion Vulnerability
- 32844: HTTP: Microsoft Windows dxgkrnl Driver Type Confusion Vulnerability
- 32845: HTTP: Microsoft Windows Redirected Bitmap Use-After-Free Vulnerability
- 32846: HTTP: Microsoft Edge transform-style Type Confusion Vulnerability
- 32847: HTTP: Microsoft Internet Explorer RegExp Use-After-Free Vulnerability