This month sees a host of memory corruption vulnerabilities patched and Intel discovers a new speculative execution side channel flaw.
Month of Memory Corruption Vulnerabilities
The latest version of Windows 10, Windows Server version 1803, IE and Edge get 11 critical patches for remote code vulnerabilities, including Adobe Flash. There are five fixes for Chakra scripting engine memory corruption flaws, while CVE-2018-8371 and CVE-2018-8373 fix scripting engine memory corruption vulnerabilities in IE. CVE-2018-8373 is a zero-day vulnerability, discovered by security researcher Elliot Cao, that can be exploited using web-based attacks or documents that use IE’s rendering engine. Microsoft says that details about the flaw were made public before Patch Tuesday and that some attacks had already been seen in the wild.
Three fixes patch memory corruption vulnerabilities in ‘Microsoft browsers’, and CVE-2018-8377 and CVE-2018-8387 fix memory corruption flaws in Edge. These vulnerabilities are rated critical because the attacker could run code in the context of the logged in user without gaining physical access. And if the user has administrative privilege, that means the attacker could potentially ‘own’ the device.
19 other patches are rated important, 10 of which are elevation of privilege vulnerabilities. A Windows shell remote code execution vulnerability (CVE-2018-8414) that does not properly validate file paths, could lead to an attacker exploiting a Windows Control Panel shortcut to distribute malware. This flaw has been actively exploited since July. Microsoft blocked the ability to embed SettingContent-ms files in emails and Office 365 documents in the middle of July to help stop the attack. This latest patch should plug the hole permanently.
Other Versions of Windows
Windows 7 SP1 gets patches for 15 vulnerabilities, 3 of which are critical and 12 important. Windows Server 2016 has 20 patched vulnerabilities, 2 of which are critical and the rest important. The Windows 10 version 1803 cumulative quality update patches the security vulnerabilities listed above, plus a series of other issues, including a battery life issue after the upgrade to version 1803, and a high CPU usage issue for AMD Family processors of the 15th and 16th generation after installing Microsoft’s June or July 2018 updates and microcode updates.
In addition to the Adobe Flash advisory, which we get every month, there are two others to address issues with Microsoft Office and a new speculative execution side channel vulnerability, also referred to as L1 Terminal Fault (L1TF) that affects Intel CPUs. Microsoft says that this flaw can be used to read content across security boundaries and provides a detailed analysis of the vulnerability on its Security Research and Defense blog here. Intel also has a piece about L1TF here. Microsoft’s patch protects the Windows kernel without any microcode update. For customers looking for full protection, specifically those using a hypervisor, a microcode update is also required.
Microsoft notes that if installing the KB4340731 or KB4340733 updates for Exchange 2013 and 2016, you must launch the files with elevated privileges. Failing to do so will install the updates but with some files missing.