Patch Tuesday Tackles Two Flaws Under Active Attack

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Security updates tackles 67 vulnerabilities in total, including two zero-days being actively attacked

Microsoft has issued its Patch Tuesday security update for May that included patches for 67 vulnerabilities spread across its software portfolio.

Indeed, the fixes this month cover security flaws in Windows, Internet Explorer, Edge, ChakraCore, .NET Framework, Microsoft Exchange Server, Windows Host Compute Service Shim, and Office and Office Services and Web Apps.

Meanwhile Adobe has also shipped a new Flash Player update that addresses a single (but critical) security weakness with its much maligned media player.

Patch tuesday

One of the most interesting developments about Microsoft’s May Patch Tuesday is that it fixes include two critical remote code-execution vulnerabilities, both of which are under active attack.

A zero-day in Internet Explorer has been abused by a cyber-espionage campaign earlier this month. CVE-2018-8174 affects not only IE but also any other projects that embed the IE web rendering engine.

Meanwhile the second zero-day is CVE-2018-8120, which is an elevation-of-privilege vulnerability in the Win32k component.

“CVE-2018-8120 is a vulnerability in older Windows OS versions (Windows 7, Server 2008, Server 2008 R2) that has been detected in exploits in the wild,” explained Chris Goettl, director of product management at Ivanti. “This vulnerability allows an attacker who is logged onto a system to run a specially crafted file to gain privileged access to the system.

Meanwhile Gill Langston, director of product management at Qualys feels that system admins need to prioritise patching of user-facing assets first, with a focus on OS, browser patches, and Office to resolve scripting engine vulnerabilities.

“Listed as ‘Exploitation Detected’, it is recommended to test and deploy the fix for CVE-2018-8174 to address how scripting engine handles memory objects – this should capture immediate attention,” added Langston.

“Browsers are typically targeted heavily, and there is no exception this month – there are 18 CVEs marked as critical this month, with the recommendation to install the cumulative updates wherever possible,” Langston said.

“May’s Patch Tuesday is here and it looks like these monthly releases have plateaued at around 70 CVEs patched per month,” noted Karl Sigler, threat intelligence manager of SpiderLabs (at Trustwave).

May comes in with 68 CVEs total including 21 rated “Critical”, 44 rated “Important”, and three rated “Low”,” said Sigler. “Among the Critical vulnerabilities, issues with the Microsoft Scripting engine continues to plague Microsoft products. Any product from IE to Office that can execute VBscript or Javascript could be vulnerable to remote code execution. Also included in the Critical list are two remote code execution vulnerabilities for the Hyper-V cloud platform.”

“May’s release also contains the out of band patch for CVE-2018-8115 affecting the Windows Host Compute Service Shim library,” said Sigler. “Among the Important and Low rated vulnerabilities, there are dozens of vulnerabilities patched for server platforms like SharePoint and Exchange Server as well as client software like the Office Suite, Outlook, IE and Edge.

Browser trouble

Meanwhile Greg Wiseman, senior security researcher at Rapid7 noted that most of May’s fixes seem to be browser related.

“Microsoft has released patches that resolve over 60 separate vulnerabilities including an update for Flash Player that addresses a critical Remote Code Execution (RCE) vulnerability,” said Wiseman. “As usual, the majority of fixes are browser-related, but Microsoft Office is also seeing its fair share this month.”

“Not Microsoft-specific, CVE-2018-8897 is the result of nearly all operating system vendors incorrectly handling debug exceptions coming from Intel architecture chips,” said Wiseman. “Nobody wants to see another cross-platform, chip-related security issue, but CVE-2018-8897 is a nice example of coordinated disclosure. ”

“Two Microsoft vulnerabilities this month are known to be exploited in the wild. CVE-2018-8120 is an elevation of privilege vulnerability affecting Windows 7, Server 2008, and Server 2008 R2,” said Wiseman.

“CVE-2018-8174, on the other hand, affects all supported versions of Windows and could lead to arbitrary code execution,” said Wiseman. “As it’s a flaw in Microsoft’s VBScript engine, there are a variety of potential attack vectors.

Do you know all about security? Try our quiz!

Read also :