1. IT-Security >
  2. Hacking >
  3. The October 2018 Security Update Review


ArabicEnglishFrenchGermanGreekItalianJapaneseKoreanPersianPolishPortugueseRussianSpanishTurkishVietnamese

The October 2018 Security Update Review

RSS Kategorie Pfeil Hacking vom | Quelle: thezdi.com Direktlink öffnen

October is upon us and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.

Adobe Patches for October 2018

Adobe began the October patch cycle early by releasing an update for Acrobat and Reader back on October 1st. This mammoth update corrects 86 CVEs in total, 47 of which are listed as Critical by Adobe. A total of 14 of these bugs came through the ZDI program. The majority of Critical-rated bugs fall under the Out-Of-Bounds (OOB) write category. This release follows closely on the heels of the APSB18-34 release. Don’t let the greater bulletin number confuse you – APSB18-30 released October 1 while APSB18-34 went live on September 19. 

Today, Adobe released four additional patches for Flash, Framemaker, Adobe Digital Editions, and the Adobe Technical Communications Suite. The patch for Flash doesn’t actually correct any security issues – it only contains bugs fixes and performance enhancements. The Digital Editions patch corrects four Critical-rated and five Important-rated CVEs. The Critical bugs could allow remote code execution via either a heap overflow or a Use After Free (UAF). The patches for Framemaker and the Adobe Technical Communications Suite both address Important-rated insecure library loading bugs.

Microsoft Patches for October 2018 

Microsoft released 49 security patches and two advisories covering Internet Explorer (IE), Edge, ChakraCore, Hyper-V, Exchange, Windows components, .NET Core, SQL Server, and Microsoft Office and Office Services. Of the 49 CVEs, 12 are listed as Critical, 35 are rated Important, one is rated as Moderate, and one is rated Low in severity. A total of eight of these CVEs came through the ZDI program. Three of these bugs are listed as publicly known at the time of release and one of these is reported as being actively exploited.

Let’s take a closer look at some of the more interesting patches for this month, starting with the issue currently under active attack:

-       CVE-2018-8453 – Win32k Elevation of Privilege Vulnerability
This CVE covers a Win32K (kernel-mode drivers) elevation of privilege vulnerability listed as currently under active attack. Little information is provided about the active attacks, but considering the nature of the vulnerability and the credit to Kaspersky Labs for reporting it, this is most certainly being used by malware. Given that we haven’t heard of this prior to today, it’s also safe to say these attacks are limited in nature – for now. Malware uses kernel elevation bugs to go from user-mode to admin-mode, which allows them full control of a target system.

-       CVE-2018-8423 – Microsoft JET Database Engine Remote Code Execution Vulnerability
We initially disclosed this vulnerability after it exceeded its 120-day timeline, and a patch addressing it is now available. Interestingly, this patch is listed as Important while two JET Database patches last month were listed as Critical despite have similar sounding descriptions. While last month’s issues dealt with Excel files, this bug can be reached by loading a specially crafted Microsoft JET Database Engine file. While we aren’t aware of active attacks using this bug, we still recommend putting this patch near the top of your test and deployment list. 

-       CVE-2010-3190 – MFC Insecure Library Loading Vulnerability 
That’s no typo – this patch addresses a bug first disclosed back in 2010 with Advisory 2269637. Often referred to as “binary planting” or “DLL preloading attacks,” this class of bugs has received close to 30 bulletins in total to fix various components. This month, Microsoft identified Exchange Server as another component that requires similar DLL preloading protections. If you have a version of Exchange prior to Exchange Server 2016 Cumulative Update 11, you’ll also need the Visual Studio 2010 patch from MS11-025. This patch accompanies two command injection fixes impacting Exchange this month, which means another rough month of testing and patching for Exchange admins.

-       CVE-2018-8492 – Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
This patch corrects a vulnerability that could allow an attacker to inject malicious code into a Windows PowerShell session. This may not seem too bad on the surface, but it’s just the type of thing used by fileless malware. Malicious PowerShell scripts are commonly used in these types of attacks and have previously been detailed by Trend Micro researchers. Any file changes to make these types of attacks harder is certainly welcome.

 Here’s the full list of CVEs released by Microsoft for October 2018.

CVE Title Severity Public Exploited XI - Latest XI - Older Type
CVE-2018-8453 Win32k Elevation of Privilege Vulnerability Important No Yes 1 0 EoP
CVE-2018-8423 Microsoft JET Database Engine Remote Code Execution Vulnerability Important Yes No 2 2 RCE
CVE-2018-8497 Windows Kernel Elevation of Privilege Vulnerability Important Yes No 1 1 EoP
CVE-2018-8531 Azure IoT Device Client SDK Memory Corruption Vulnerability Important Yes No 2 2 RCE
CVE-2018-8460 Internet Explorer Memory Corruption Vulnerability Critical No No 1 1 RCE
CVE-2018-8473 Microsoft Edge Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8489 Windows Hyper-V Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2018-8490 Windows Hyper-V Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2018-8491 Internet Explorer Memory Corruption Vulnerability Critical No No 1 1 RCE
CVE-2018-8494 MS XML Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2018-8500 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8505 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8509 Microsoft Edge Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8510 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8511 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8513 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2010-3190 MFC Insecure Library Loading Vulnerability Important No No 2 2 RCE
CVE-2018-8265 Microsoft Exchange Server Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2018-8320 Windows DNS Security Feature Bypass Vulnerability Important No No 2 2 SFB
CVE-2018-8329 Linux On Windows Elevation Of Privilege Vulnerability Important No No 2 2 EoP
CVE-2018-8330 Windows Kernel Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2018-8333 Microsoft Filter Manager Elevation Of Privilege Vulnerability Important No No 1 1 EoP
CVE-2018-8411 NTFS Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2018-8413 Windows Theme API Remote Code Execution Vulnerability Important No No 1 1 RCE
CVE-2018-8427 Microsoft Graphics Components Information Disclosure Vulnerability Important No No N/A 2 Info
CVE-2018-8432 Microsoft Graphics Components Remote Code Execution Vulnerability Important No No N/A 2 RCE
CVE-2018-8448 Microsoft Exchange Server Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2018-8472 Windows GDI Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2018-8480 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2018-8481 Windows Media Player Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2018-8482 Windows Media Player Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2018-8484 DirectX Graphics Kernel Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2018-8486 DirectX Information Disclosure Vulnerability Important No No 1 1 Info
CVE-2018-8488 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2018-8492 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability Important No No 1 1 SFB
CVE-2018-8493 Windows TCP/IP Information Disclosure Vulnerability Important No No 1 1 Info
CVE-2018-8495 Windows Shell Remote Code Execution Vulnerability Important No No 1 1 RCE
CVE-2018-8498 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2018-8501 Microsoft PowerPoint Security Feature Bypass Vulnerability Important No No 1 1 SFB
CVE-2018-8502 Microsoft Excel Security Feature Bypass Vulnerability Important No No 1 1 SFB
CVE-2018-8504 Microsoft Word Security Feature Bypass Vulnerability Important No No 1 1 SFB
CVE-2018-8506 Microsoft Windows Codecs Library Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2018-8512 Microsoft Edge Security Feature Bypass Vulnerability Important No No 2 N/A SFB
CVE-2018-8518 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2018-8527 SQL Server Management Studio Information Disclosure Important No No 2 2 Info
CVE-2018-8530 Microsoft Edge Security Feature Bypass Vulnerability Important No No 2 N/A SFB
CVE-2018-8532 SQL Server Management Studio Information Disclosure Important No No 2 2 Info
CVE-2018-8533 SQL Server Management Studio Information Disclosure Moderate No No 2 2 Info
CVE-2018-8503 Chakra Scripting Engine Memory Corruption Vulnerability Low No No 2 N/A RCE

While this month is slightly smaller than the last few releases, browser bugs and remote code execution (RCE) bugs still dominate the release. Of the 49 patches, 18 are listed as RCE while 12 affect browsers. One of the browser related bugs is listed as Low-severity, which is odd since the description is identical to other, higher rated vulnerabilities. There also seems to be a renewed interest in networking protocols, as both the DNS service and TCP/IP stack receive updates this month. Virtualization also continues to see interest with two Guest-to-Host elevations fixed by patches for Hyper-V. Office components are well represented in this release with updates for Excel, Word, PowerPoint, graphics components, and SharePoint amongst the October patches.

Similar to the bug under active attack, a dozen different elevation of privilege (EoP) bugs are fixed in this release. Normally, these bugs require an attacker to log on to a system and execute code to elevate privileges. However, CVE-2018-8333 turns that on its head a bit. In this instance, an attacker would need to log on to a target system and delete a specially crafted file rather than execute specially crafted code. The Linux-on-Windows subsystem also receives a patch for an EoP, but this one has the more traditional exploit vector.

Multiple Windows components receive patches this month, including additional kernel fixes. There are also updates for the Windows graphics components, media player, XML core services, and the Windows shell. There’s also a patch for the Azure IoT Device Client SDK, which allows developers to build apps that run on IoT devices. The RCE bug fixed here is the final one listed as publicly known for this release. It’s also interesting to see IoT bugs get patched, as these may reveal techniques that could be used in the IoT category of the upcoming Pwn2Own Tokyo

Finally, there is one advisory to cover this month. It provides defense-in-depth enhancements for Office. It’s unclear what these enhancements entail or why they couldn’t be included in one of the other Office patches.

Looking Ahead

The next patch Tuesday falls on November 13, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!

...

Webseite öffnen Komplette Webseite öffnen

Newsbewertung

Kommentiere zu The October 2018 Security Update Review






Ähnliche Beiträge

  • 1. CentOS Blog: CentOS Pulse Newsletter, November 2018 (#1806) vom 402.36 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, Here's what's been happening in the past month at CentOS. Releases and updates The following releases and updates happened in October. For each update, the given URL provides the upstream notes about the change. Errata and Enh
  • 2. CentOS Blog: CentOS Pulse Newsletter, January 2019 (#1901) vom 337.32 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, We wish you a happy and prosperous 2019, full of CentOS! Releases and updates SIG updates Events Contributing to the newsletter Releases and updates December was a very busy month for releases and updates. The following releases a
  • 3. CentOS Blog: CentOS Pulse Newsletter, January 2019 (#1901) vom 337.32 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, We wish you a happy and prosperous 2019, full of CentOS! Releases and updates SIG updates Events Contributing to the newsletter Releases and updates December was a very busy month for releases and updates. The following releases a
  • 4. CentOS Blog: CentOS Pulse Newsletter, January 2019 (#1901) vom 337.32 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, We wish you a happy and prosperous 2019, full of CentOS! Releases and updates SIG updates Events Contributing to the newsletter Releases and updates December was a very busy month for releases and updates. The following releases a
  • 5. The November 2018 Security Update Review vom 262.47 Punkte ic_school_black_18dp
    November is here and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month. Adobe Patches for November 2018
  • 6. The October 2018 Security Update Review vom 261.14 Punkte ic_school_black_18dp
    October is upon us and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month. Adobe Patches for October 2018 A
  • 7. USN-3544-1: Firefox vulnerabilities vom 225.6 Punkte ic_school_black_18dp
    Ubuntu Security Notice USN-3544-1 24th January, 2018 firefox vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Firefox could be made to crash or
  • 8. CentOS Blog: CentOS Pulse Newsletter, September 2018 (#1804) vom 205.64 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, Here's what's been happening in the past month at CentOS Releases and Updates The following releases and updates happened in August. For each update, the given URL provides the upstream notes about the change. Releases We're ple
  • 9. CentOS Blog: CentOS Pulse Newsletter, October 2018 (#1805) vom 192.54 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, Here's what's been happening in the past month at CentOS Releases and Updates The following releases and updates happened in August. For each update, the given URL provides the upstream notes about the change. Errata and Enhance
  • 10. The December 2018 Security Update Review vom 176.97 Punkte ic_school_black_18dp
    December is here and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month. Adobe Patches for December 2018
  • 11. USN-4118-1: Linux kernel (AWS) vulnerabilities vom 147.12 Punkte ic_school_black_18dp
    linux-aws vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 18.04 LTS Ubuntu 16.04 LTS Summary Several security issues were fixed in the Linux kernel. Software Description linux-aws - Linux kernel for Amazon Web Services
  • 12. USN-3415-2: tcpdump vulnerabilities vom 125.28 Punkte ic_school_black_18dp
    Ubuntu Security Notice USN-3415-2 13th September, 2017 tcpdump vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.04 LTS Summary Several security issues were fixed in tcpdump Software description tcpdump