Threat Management, Threat Intelligence, Malware, Network Security, Patch/Configuration Management, Vulnerability Management

Patch Tuesday: Microsoft mends RCE bug reportedly exploited by cyber espionage group

Share

Microsoft Corporation's Patch Tuesday security update today fixed 67 bugs, including two that have been actively exploited in zero-day attacks, and another two whose details became public.

The first zero-day vulnerability, CVE-2018-8174, is a remote code execution vulnerability in the Windows VBScript Engine, caused by an improper handling of objects in memory. Attackers can exploit this vulnerability in order to acquire the same user rights as the current legitimate user, and ultimately gain full control of an affected system.

BleepingComputer, citing researchers from Qihoo 360, reported last month that an APT group has been exploiting this bug in a complex attack that affects the latest versions of Internet Explorer and any other applications that use the IE kernel.

"In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website," Microsoft explains in a seucrity advisory, crediting researchers from Qihoo 360 and Kaspersky Lab for the discovery. "An attacker could also embed an ActiveX control marked 'safe for initialization'in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability."

The other exploited zero-day bug, CVE-2018-8120, is a Windows elevation of privilege vulnerability that occurs in the Win32k component when it fails to properly handle objects in memory. It can be exploited to run arbitrary code in kernel mode, allowing attackers unfettered control.

"To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system," warns Microsoft in another advisory that credits the bug's discovery to research from ESET.

"It has been reported that this vulnerability is actively being used by malware, although it's not clear how widespread that malware actually is," reports Trend Micro's Zero Day Initiative in a blog post. "The bug itself is just one of seven Kernel EoPs [elevation of privileges] being patched this month. Any of these bugs are targets malware authors could use in future attacks."

The two repaired bugs that previously went public, but do not appear to be actively exploited, are CVE-2018-8170, an EoP flaw in Windows kernel image and CVE-2018-8148, an information disclosure flaw in the Windows kernel.

In total, 20 of the fixed vulnerabilities are marked critical, including multiple memory corruption vulnerabilities in the scripting engine, Chakra scripting engine and Microsoft browsers, and remote code execution issues in the Windows Hyper-V hypervisor product.

Other products and components that had vulnerabilities repaired include Microsoft Edge, Exchange, Office (specifically Excel software in certain cases), Outlook, SharePoint and more.

Scripting Engine Memory Corruption Vulnerability
Scripting Engine Memory Corruption Vulnerability
Scripting Engine Memory Corruption Vulnerability

Patch Tuesday: Microsoft mends RCE bug reportedly exploited by cyber espionage group

Microsoft Corporation's Patch Tuesday release today fixed 67 bugs, including two that have been actively exploited in zero-day attacks, and another two whose details became public.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.