April 2018 – Microsoft Patch Tuesday

April showers might bring May flowers, but the second Tuesday in April brings a deluge of security updates from Microsoft. The total number of items listed in the Security Updates Guide for this Patch Tuesday is 425 (as compared to only 157 last month – but that was an unusually low number. Of course, the Security Updates Guide contains multiple line items for the same vulnerability, making it more difficult to determine exactly what we’re dealing with.

As usual, we have updates for all of the currently supported versions of the Windows operating system, both client and server, as well as both of Microsoft’s web browsers, Internet Explorer and Edge. The usual Adobe Flash update for Windows is here, and this time we also have fixes for Microsoft Office (including Microsoft Office Services and Office Web Apps), Visual Studio, the Azure Internet of Things (IoT) Software Developers’ Kit (SDK), as well as ChakraCore. In regard to that last one, we’ve been seeing it here every month and I’ve had a few readers ask me what exactly it is and why it is suddenly appearing in the list of patched components. Chakra is a JavaScript engine that was created for the Edge browser. ChakraCore is the open source Chakra engine, which is the same thing without the platform-specific bindings of the Edge Chakra engine.

There is also an update for the Microsoft Malware Protection Engine that was released as an out-of-band update on April 3.

Microsoft also released several non-security updates, which are beyond the scope of this post – but be aware that KB4089848 for Windows 10 v 1709 fixes a number of annoying issues, including Bluetooth problems, EFS file corruption issues associated with BitLocker, a file transfer error, failure of group policy processing caused by too many characters in Windows Firewall policy, corruption of the Remote Desktop license report, and more. You can find out all the details here:
https://support.microsoft.com/en-us/help/4089848/windows-10-update-kb4089848

Now let’s take a closer look at some of the security update summaries.

Security Advisories

The following security advisory was released on Patch Tuesday this month:

Security Advisory ADV180007, Adobe Flash Security Update, affects Windows 8.1 and 10, and Server 2012/2012 R2 and 2016. Adobe rated this update as a priority 2. It addresses three critical vulnerabilities that could be exploited to accomplish remote code execution (a use-after-free and two out-of-bounds write issues), along with three important vulnerabilities that are all information disclosure issues. You can find more information about these vulnerabilities and fixes on Adobe’s site at https://helpx.adobe.com/security/products/flash-player/apsb18-08.html

Products Updated on Patch Tuesday

Here is the “quick and dirty” rundown of the vulnerabilities that were patched in the operating systems and web browsers:

• Windows 7: 21 vulnerabilities
• Windows 8.1: 23 vulnerabilities
• Windows 10 v1607:  25 vulnerabilities
• Windows 10 v1703 and v1709: 28 vulnerabilites
• Windows Server 2008 R2: 21 vulnerabilities
• Windows Server 2012 and 2012 R2: 23 vulnerabilities
• Windows Server 2016: 27 vulnerabilities
• Internet Explorer 11: 13 vulnerabilities (1 critical)
• Microsoft Edge: 10 vulnerabilities (11 critical)

Six operating system vulnerabilities and 8 web browser vulnerabilities were rated critical.

Operating system and web browser security updates

• Windows 10 (v1709, 1703, and 1607) updates addressed security issues with IE and Edge, the kpp platform, the Microsoft scripting engine, Windows Server, Windows kernel, Windows graphics, multiple networking issues (datacenter and wireless), virtualization, and Hyper-V.  You can find out more information about these updates in KB4093112 (v1709), KB4093107 (v1703), and KB4093119 (v1607).
• Windows 10 (v1511) updates address security updates to Internet Explorer, Microsoft scripting engine, Windows RDP, Windows kernel, Windows IIS, Windows datacenter networking, Microsoft scripting engine, Microsoft Edge, Windows Hyper-V , and Windows virtualization and kernel. You can find out more information in KB4093109.
• Windows 7 SP1 and Windows Server 2008 SP1 security update fixes security issues with Internet Explorer, Microsoft scripting engine, Microsoft graphics component, Windows Server, Windows datacenter networking, Windows virtualization and kernel, and Windows app platform and frameworks. This update also removed the blocking updates  when a registry key for antivirus compatibility was not set. You can find out more information about these updates in KB4093108.
• Windows 8.1 and Windows Server 2012 R2 security update fixes security issues with Internet Explorer, Microsoft scripting engine, Microsoft graphics component, Windows Server, Windows datacenter networking, Windows virtualization and kernel, and Windows app platform and frameworks. This update also removed the blocking updates when a registry key for antivirus compatibility was not set. You can find out more information about these updates in KB4093115
• Cumulative update for Internet Explorer addresses several reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage in Internet Explorer. You can find out more about this update in KB4092946.

Security updates for Windows XP Embedded and Windows Embedded 8 Standard were also released.

Critical vulnerabilities

Some of the most important critical vulnerabilities addressed by these updates include the following:

• Internet Explorer Memory Corruption vulnerabilities (CVE-2018-0870, 0988, 0991, 0996) A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Applies to all currently supported versions of Windows client and server OS.
• Chakra Scripting Engine Memory Corruption vulnerabilities (CVE-2018-0979, 0980, 0990, 0993, 0994, 0995) A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Applies to Edge running on Windows 10 and Server 2016.
• Scripting Engine Information Disclosure vulnerabilities (CVE-2018-0981, 1000, ) An information disclosure vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could provide an attacker with information to further compromise the user’s computer or data. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.
• Windows VBScript Engine Remote Code Execution vulnerabilities (CVE-2018-1004) A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
• Microsoft Graphics Remote Code Execution vulnerabilities (CVE-2018-1010, 1012,1013) A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit the vulnerability.

The above covers only some of the vulnerabilities addressed in the April security updates.  According to reports, a total of 66 vulnerabilities were fixed by this month’s patches.  Others include an Active Directory security bypass, a Device Guard feature bypass, a Windows kernel elevation of privileges vulnerability, a Windows kernel information disclosure vulnerability, a denial of service vulnerability in Microsoft Graphics component, a Hyper-V information disclosure issue, a Visual Studio information disclosure issue, an HTTP.sys denial of service issue in IIS, a Remote Desktop Protocol (RDP) denial of service vulnerability, and more.

For the full list and/or to download the Excel spreadsheet listing all of the vulnerabilities, please see the Security Update Guide at https://portal.msrc.microsoft.com/en-us/security-guidance.

As always we advise our readers to test their patches before deploying them to their business network. The March edition of Microsoft Patch Tuesday resulted in a few problems for several users and you can read my experience with the March Patches here.