Microsoft shut down a zero-day vulnerability launched by a Twitter user in August and a denial-of-service flaw on September Patch Tuesday.
A security researcher identified by the Twitter handle SandboxEscaper shared a zero-day exploit in the Windows task scheduler on Aug. 27. Microsoft issued an advisory after SandboxEscaper uploaded proof-of-concept code on GitHub. The company fixed the ALPC elevation of privilege vulnerability (CVE-2018-8440) with its September Patch Tuesday security updates. A malicious actor could use the exploit to gain elevated privileges in unpatched Windows systems.
“[The attacker] can run arbitrary code in the context of local system, which pretty much means they own the box … that one’s a particularly nasty one,” said Chris Goettl, director of product management at Ivanti, based in South Jordan, Utah.
The vulnerability requires local access to a system, but the public availability of the code increased the risk. An attacker used the code to send targeted spam that, if successful, implemented a two-stage backdoor on a system.
“Once enough public information gets out, it may only be a very short period of time before an attack could be created,” Goettl said. “Get the Windows OS updates deployed as quickly as possible on this one.”
Microsoft addresses three more public disclosures
Administrators should prioritize patching three more public disclosures highlighted in September Patch Tuesday.
Microsoft resolved a denial-of-service vulnerability (CVE-2018-8409) with ASP.NET Core applications. An attacker could cause a denial of service with a specially crafted request to the application. Microsoft fixed the framework’s web request handling abilities, but developers also must build the update into the vulnerable application in .NET Core and ASP.NET Core.
A remote code execution vulnerability (CVE-2018-8457) in the Microsoft Scripting Engine opens the door to a phishing attack, where an attacker uses a specially crafted image file to compromise a system and execute arbitrary code. A user could also trigger the attack if they open a specially constructed Office document.
“Phishing is not a true barrier; it’s more of a statistical challenge,” Goettl said. “If I get enough people targeted, somebody’s going to open it.”
This exploit is rated critical for Windows desktop systems using Internet Explorer 11 or Microsoft Edge. Organizations that practice least privilege principles can mitigate the impact of this exploit.
Another critical remote code execution vulnerability in Windows (CVE-2018-8475) allows an attacker to send a specially crafted image file to a user, who would trigger the exploit if they open the file.
September Patch Tuesday issues 17 critical updates
September Patch Tuesday addressed more than 60 vulnerabilities, 17 rated critical, with a larger number focused on browser and scripting engine vulnerabilities.
“Compared to last month, it’s a pretty mild month. The OS and browser updates are definitely in need of attention,” Goettl said.
Microsoft closed two critical remote code execution flaws (CVE-2018-0965 and CVE-2018-8439) in Hyper-V and corrected how the Microsoft hypervisor validates guest operating system user input. On an unpatched system, an attacker could run a specially crafted application on a guest operating system to force the Hyper-V host to execute arbitrary code.
Microsoft also released an advisory (ADV180022) for administrators to protect Windows systems from a denial-of-service vulnerability named “FragmentSmack” (CVE-2018-5391). An attacker can use this exploit to target the IP stack with eight-byte IP fragments and withholding the last fragment to trigger full CPU utilization and force systems to become unresponsive.
Microsoft also released an update to a Microsoft Exchange 2010 remote code execution vulnerability (CVE-2018-8154) first addressed on May Patch Tuesday. The fix corrects the faulty update that could break functionality with Outlook on the web or the Exchange Control Panel.
“This might catch people by surprise if they are not looking closely at all the CVEs this month,” Goettl said.