The July 2018 Security Update ReviewJuly 10, 2018 | Dustin Childs
July is here and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.
Adobe Patches for July 2018
This month, Adobe released four patches for Flash, Adobe Reader, Experience Manager, and Adobe Connect. The patch for Adobe Flash is quite small this month with only two CVEs being addressed. The first is a type confusion bug submitted through the ZDI program that could lead to remote code execution. The other bug is a less severe information disclosure vulnerability due to an out-of-bounds Read. The patch for Experience Manager fixes three information disclosure bugs. The Connect patch also fixes three bugs, with two being authentication bypasses and one being an insecure library load.
Unlike these others, the Acrobat patch is enormous, with 107 CVEs being addressed in whole. A total of 68 of these CVEs came through the ZDI program. With so many issues being fixed, it’s hard to pull out any specific ones to highlight. The types of bugs fixed by this patch include out-of-bounds reads, out-of-bounds writes, heap overflows, type confusions, and use-after-frees. The worst of these could allow an attacker’s code to execute by opening a malicious PDF. While it’s good to see Adobe address so many issues at once, it’s a bit troubling that Adobe needs to address so many bugs at once.
Microsoft Patches for July 2018
Microsoft released 53 security patches for July covering Internet Explorer (IE), Edge, ChakraCore, Windows, .NET Framework, ASP.NET, PowerShell, Visual Studio, and Microsoft Office and Office Services. Of these 53 CVEs, 18 are listed as Critical, 33 are rated Important, one is rated as Moderate, and one is rated as Low in severity. Five of these CVEs came through the ZDI program. None of the bugs patched this month are listed as publicly known or under active attack at the time of release.
Let’s take a closer look at some of the more interesting patches for this month:
- CVE-2018-8304 - Windows DNSAPI Denial of Service Vulnerability
While not a severe as last month’s wormable CVE-2018-8225, this bug could allow remote attackers to shut down a DNS server through merely a malformed DNS response. Again, that’s better than code execution, but it’s never good when an adversary can remotely shut down a part of your critical infrastructure.
- CVE-2018-8310 - Microsoft Office Tampering Vulnerability
At first glance, this seems like a relatively typical Office vulnerability in that opening a malicious file leads to bad things. In this case, there’s a different wrinkle that opens some interesting possibilities. An attacker exploiting this vulnerability could embed untrusted TrueType fonts into an email. Bugs in fonts have been popular since 2013 and have been used in malware attacks in the past. This bug could allow them to spread and possibly even bypass traditional filters. That’s likely the reason Microsoft chose to go ahead and release a patch for this Low-rated vulnerability.
- CVE-2018-8306 - Microsoft Wireless Display Adapter Command Injection Vulnerability
When I first read the title, I was hoping for a bug that allowed an attacker to hijack a wireless display. This is not that bug. This vulnerability requires authentication and could cause the display to malfunction. While the bug itself isn’t that bad, the update scenario sounds taxing. The patch is a firmware update. To get the new firmware, it has to be downloaded from the Wireless Display Adapter App available in the Microsoft App Store. That doesn’t sound like something easily automated. From a sysadmin’s perspective, this patch will be very labor intensive to roll out.
This bug allows an attacker to generate signatures that mimic the entity associated with a public/private key pair. While this doesn’t appear to circumvent authentic public/private key pairs, it likely can be used by malware authors to make their attacks appear genuine.
Here’s the full list of CVEs released by Microsoft for June 2018. We’ve added a column showing the type of vulnerability being addressed. Let us know what you think.
|CVE||Title||Severity||Public||Exploited||XI - Latest||XI - Older||Type|
|CVE-2018-8242||Scripting Engine Memory Corruption Vulnerability||Critical||No||No||1||1||RCE|
|CVE-2018-8262||Microsoft Edge Memory Corruption Vulnerability||Critical||No||No||1||N/A||RCE|
|CVE-2018-8274||Microsoft Edge Memory Corruption Vulnerability||Critical||No||No||1||N/A||RCE|
|CVE-2018-8275||Scripting Engine Memory Corruption Vulnerability||Critical||No||No||1||1||RCE|
|CVE-2018-8279||Scripting Engine Memory Corruption Vulnerability||Critical||No||No||1||1||RCE|
|CVE-2018-8280||Chakra Scripting Engine Memory Corruption Vulnerability||Critical||No||No||1||1||RCE|
|CVE-2018-8283||Scripting Engine Memory Corruption Vulnerability||Critical||No||No||1||1||RCE|
|CVE-2018-8286||Chakra Scripting Engine Memory Corruption Vulnerability||Critical||No||No||1||1||RCE|
|CVE-2018-8288||Scripting Engine Memory Corruption Vulnerability||Critical||No||No||1||1||RCE|
|CVE-2018-8289||Microsoft Edge Information Disclosure Vulnerability||Critical||No||No||1||1||Info|
|CVE-2018-8290||Chakra Scripting Engine Memory Corruption Vulnerability||Critical||No||No||1||1||RCE|
|CVE-2018-8291||Scripting Engine Memory Corruption Vulnerability||Critical||No||No||1||1||RCE|
|CVE-2018-8294||Chakra Scripting Engine Memory Corruption Vulnerability||Critical||No||No||1||1||RCE|
|CVE-2018-8296||Scripting Engine Memory Corruption Vulnerability||Critical||No||No||1||1||RCE|
|CVE-2018-8298||Chakra Scripting Engine Memory Corruption Vulnerability||Critical||No||No||1||1||RCE|
|CVE-2018-8301||Microsoft Edge Memory Corruption Vulnerability||Critical||No||No||1||N/A||RCE|
|CVE-2018-8324||Microsoft Edge Information Disclosure Vulnerability||Critical||No||No||1||N/A||Info|
|CVE-2018-8327||PowerShell Editor Services Remote Code Execution Vulnerability||Critical||No||No||2||2||RCE|
|CVE-2018-0949||Internet Explorer Security Feature Bypass Vulnerability||Important||No||No||1||1||SFB|
|CVE-2018-8125||Chakra Scripting Engine Memory Corruption Vulnerability||Important||No||No||1||1||SFB|
|CVE-2018-8171||ASP.NET Core Security Feature Bypass Vulnerability||Important||No||No||3||3||SFB|
|CVE-2018-8172||Visual Studio Remote Code Execution Vulnerability||Important||No||No||2||2||RCE|
|CVE-2018-8202||.NET Framework Elevation of Privilege Vulnerability||Important||No||No||2||2||EoP|
|CVE-2018-8206||Windows FTP Server Denial of Service Vulnerability||Important||No||No||2||2||DoS|
|CVE-2018-8222||Device Guard Code Integrity Policy Security Feature Bypass Vulnerability||Important||No||No||2||2||SFB|
|CVE-2018-8325||Microsoft Edge Information Disclosure Vulnerability||Important||No||No||2||N/A||Info|
|CVE-2018-8238||Skype for Business and Lync Security Feature Bypass Vulnerability||Important||No||No||2||2||SFB|
|CVE-2018-8260||.NET Framework Remote Code Execution Vulnerability||Important||No||No||3||N/A||RCE|
|CVE-2018-8276||Scripting Engine Security Feature Bypass Vulnerability||Important||No||No||2||2||SFB|
|CVE-2018-8278||Microsoft Edge Spoofing Vulnerability||Important||No||No||1||N/A||Spoof|
|CVE-2018-8281||Microsoft Office Remote Code Execution Vulnerability||Important||No||No||2||2||RCE|
|CVE-2018-8282||Win32k Elevation of Privilege Vulnerability||Important||No||No||3||1||EoP|
|CVE-2018-8284||.NET Framework Remote Code Injection Vulnerability||Important||No||No||2||2||RCE|
|CVE-2018-8287||Scripting Engine Memory Corruption Vulnerability||Important||No||No||1||1||RCE|
|CVE-2018-8297||Microsoft Edge Information Disclosure Vulnerability||Important||No||No||1||N/A||Info|
|CVE-2018-8299||Microsoft SharePoint Elevation of Privilege Vulnerability||Important||No||No||2||2||EoP|
|CVE-2018-8300||Microsoft SharePoint Remote Code Execution Vulnerability||Important||No||No||2||2||RCE|
|CVE-2018-8304||Windows DNSAPI Denial of Service Vulnerability||Important||No||No||2||2||DoS|
|CVE-2018-8305||Windows Mail Client Information Disclosure Vulnerability||Important||No||No||2||2||Info|
|CVE-2018-8306||Microsoft Wireless Display Adapter Command Injection Vulnerability||Important||No||No||2||2||RCE|
|CVE-2018-8307||WordPad Security Feature Bypass Vulnerability||Important||No||No||2||2||SFB|
|CVE-2018-8308||Windows Kernel Elevation of Privilege Vulnerability||Important||No||No||2||2||EoP|
|CVE-2018-8309||Windows Denial of Service Vulnerability||Important||No||No||2||2||DoS|
|CVE-2018-8311||Remote Code Execution Vulnerability in Skype For Business and Lync||Important||No||No||2||2||RCE|
|CVE-2018-8312||Microsoft Access Remote Code Execution Use After Free Vulnerability||Important||No||No||2||2||RCE|
|CVE-2018-8313||Windows Elevation of Privilege Vulnerability||Important||No||No||1||1||EoP|
|CVE-2018-8314||Windows Elevation of Privilege Vulnerability||Important||No||No||1||1||EoP|
|CVE-2018-8323||Microsoft SharePoint Elevation of Privilege Vulnerability||Important||No||No||2||2||EoP|
|CVE-2018-8326||Open Source Customization for Active Directory Federation Services XSS Vulnerability||Important||No||No||N/A||N/A||Spoof|
|CVE-2018-8356||.NET Framework Security Feature Bypass Vulnerability||Important||No||No||3||3||SFB|
|CVE-2018-8310||Microsoft Office Tampering Vulnerability||Low||No||No||2||2||Tampering|
|CVE-2018-8232||Microsoft Macro Assembler Tampering Vulnerability||Moderate||No||No||N/A||N/A||Tampering|
As for the rest of the release, browser-related bugs remain in the spotlight, with 17 of the 18 Critical-rated bugs being some form of bug in either IE, Edge, or ChakraCore. This continues the trend we’ve been seeing of JIT bugs increasing in browsers. Microsoft implemented UAF mitigations back in 2014. It will be interesting to see if they can do something similar for these types of bugs in the future.
The July release also includes a mixture of Office bugs, with the most important ones affecting SharePoint and Skype for Business. There’s also a patch for a DoS bug in the FTP server. You may think that only affects Windows Server, but the Windows 7, 8, and 10 desktop OSes also include an FTP service for some reason. Everything will need that patch (reboot included).
Patches are also available for the .NET Framework and Visual Studio. Of the two RCE bugs in .NET, one requires a user to open a malicious file with .NET. The other has a more realistic attack scenario where an attacker could pass specific input to an application utilizing susceptible .NET methods. That results in code execution with elevated privileges. One of the Visual Studio bugs is also curious. Tampering bugs aren’t too common, but CVE-2018-8232 certainly qualifies. This bug in the Macro Assembler allows an attacker to introduce code into an application that modifies data within the app in an “unintended” manner. There’s a bunch of scenarios where this could prove fascinating to watch, but they all end up sounding like a plot device in a Mission Impossible movie.
The release is rounded out with kernel updates, a mail client update, a patch for PowerShell, and patch to shut down a sandbox escape in Windows. Finally, Microsoft released their version of the aforementioned Adobe patch for Flash in Internet Explorer.
The next patch Tuesday falls on August 14, and we’ll return with details and patch analysis then. Also, if you haven’t read it, take a few moments to look at the recap covering the program highlights for the first six months of this year. Follow us on Twitter to see the latest and greatest coming from the ZDI program. Until then, happy patching and may all your reboots be smooth and clean!