The meaning behind recent Windows and Adobe security updates
On Sept 11 Microsoft has released a monthly patch update for Sept 2018 with updates relating to Windows, Internet Explorer, Edge Browser and others, with a total of 61 security vulnerabilities patched. 17 of them are critical. Full patch information can be found here. Adobe also released an update to Flash Player and ColdFusion on this day as well. In this article we are going to touch upon some exploitable vulnerabilities that represent high risk for companies that are yet to patch their systems:
CVE-2018-8475: Windows Critical RCE Vulnerability
This vulnerability was ranked as “Exploitation More Likely” by Microsoft. Now that the fix for it was made public we can expect a number of exploits targeting non-patched systems.
Using this vulnerability an attacker could execute arbitrary code on user’s computer by convincing him to download an image file. What this means is that user’s computer can be effectively compromised if the user downloads a specifically crafted image on his desktop.
This vulnerability affects Windows 10, 8.1, 7 Desktop and Windows Server 2008, 2012, 2016.
CVE-2018-8440: Windows ALPC Elevation of Privilege Vulnerability
This vulnerability, ranked as “Exploitation More Likely”, is currently being exploited in public space and was publicly disclosed few days before the release of the patch. To exploit this vulnerability, an attacker would have to authenticate into the system, and then run a specifically crafted application that would take over the computer system by gaining administrative privileges.
A proof of concept for this exploit is available on GitHub: https://github.com/Yt1g3r/CVE-2018-8174_EXP.
The module to test this vulnerability is being developed for Metasploit framework.
CVE-2018-8457: Scripting Engine Memory Corruption Vulnerability
This vulnerability affects Microsoft Browsers and would allow an attacker to obtain local computer privileges by executing malicious code in user’s browser. In an attack scenario, a user would browse to attacker’s website that contain malicious script using Internet Explorer or Edge. Using this vulnerability an attacker could then get the user’s local computer privileges to and execute arbitrary code in the context of current user. If a compromised user is an Administrator, an attacker would get full control of the computer. This vulnerability has to do with defects in scripting engines of Internet Explorer 10, 11 and Edge browsers.
CVE-2018-0965 | CVE-2018-8439 | Windows Hyper-V Remote Code Execution Vulnerability
These vulnerabilities are ranked as “Exploitation Less Likely” by Microsoft. They would allow an attacker to execute arbitrary code on the host Operating System by running a specifically crafted application on Guest OS. The host would fail to validate input from an authenticated user on a Guest OS.
CVE-2018-15967 | Adobe Flash Player
Adobe has released an update for Flash Player for Windows addressing an important flaw in Flash for Google Chrome, Microsoft Edge and Internet Explorer 11. This is a privilege escalation vulnerability that could lead to information disclosure for the affected users browsing a malicious web page. The details of vulnerability and how it can be exploited have not been published yet.
Adobe has released an update for ColdFusion 11, 2016 and 2018 platforms with fixes to few critical vulnerabilities, which relate to Deserialization of untrusted data (CVE-2018-15965, CVE-2018-15957, CVE-2018-15958, and CVE-2018-15959), CVE-2018-15961 Unrestricted file upload and CVE-2018-15960 Use of component with unknown vulnerability. A combination of these critical vulnerabilities could lead to arbitrary code execution on the server.
In addition, they have released patches for “Important” vulnerabilities: CVE-2018-15962 is a flaw within directory listings that can lead to information disclosure, CVE-2018-15963 is a security bypass bug which could permit attackers to create arbitrary folders, CVE-2018-15964 is another security flaw caused by the use of a component with a known vulnerability which may cause data leaks.
Patch all Windows Systems
Windows update includes the patches for vulnerabilities described above and also contain Adobe Flash update.
To apply the patches to your Windows System:
- Go to Settings -> Update & Security -> Windows Update -> Check for Updates, or you can install updates manually
If you have any questions
Feel free to either ping me on LinkedIn or schedule a pre-assessment session for your company to see how we can help securing your company assets: