February 2018 – Microsoft Patch Tuesday

It’s that time again. February is the shortest month of the year, which means we have fewer days to get all the work done that needs to be done. At the top of an IT professional’s “to do” list for every month is getting all the systems within his/her purview updated and all security patches and mitigations applied. With some of the recent serious threats that have emerged, it’s more important now than ever.

As usual on this Patch Tuesday, February 13, Microsoft released a slew of updates for both the client and server versions of the Windows operating system, both of its web browsers (Internet Explorer and Edge), and Adobe Flash running on those Windows software products. Microsoft Office got some non-security updates to address a number of bugs and performance issues, and security issues in Outlook 2013 and 2016 were addressed.

The total number of items listed in the Security Updates Guide for this Patch Tuesday is a bit lower than usual (157 vs. several hundred on most Patch Tuesdays).  Of course, the Security Updates Guide contains multiple line items for the same vulnerability, making it more difficult to determine exactly what we’re dealing with.

Let’s parse all that information and take a closer look at some of the security update summaries.

Security Advisories

The following security advisory was released on Patch Tuesday this month:

Security Advisory ADV180004, Adobe Flash Security Update, affects Windows 8.1, 8.1 RT, 10 and Server 2012, 2012 R2, and 2016. Adobe rated this update as a priority 1. It addresses two critical vulnerabilities that could be exploited to accomplish remote code execution.

Microsoft updated Security Advisory ADV180002, Guidance to mitigate speculative execution side-channel vulnerabilities. eason for Revision: Microsoft has released security updates to provide additional protections for the 32-bit (x86) versions of Windows 10. Microsoft recommends that customers    running 32-bit systems install the applicable update as soon as possible. These updates do not apply to x64 (64-bit) systems. They also added a section under Advisory Details to announce that Microsoft has released mitigations for Windows Holographic to Microsoft HoloLens customers that are provided automatically as part of the February 2018 Windows Security Update to Windows 10 Version 1607 for HoloLens.

Products Updated on Patch Tuesday

The good news is that whichever version of Windows you have, only one of the Windows vulnerabilities that are addressed by this month’s updates is rated as critical.  The bad news is that if you’re using the Edge browser (or even if you’re not, but have it installed), you have 11 critical vulnerabilities to be concerned about.  Here is the “quick and dirty” rundown:

• Windows 7: 15 vulnerabilities
• Windows 8.1: 12 vulnerabilities
• Windows 10 v1607:  17 vulnerabilities
• Windows 10 v1703: 18 vulnerabilities
• Windows 10 v1709: 19 vulnerabilities
• Windows Server 2008: 11 vulnerabilities
• Windows Server 2008 R2: 14 vulnerabilities
• Windows Server 2012 and 2012 R2: 12 vulnerabilities
• Windows Server 2016: 17 vulnerabilities
• Internet Explorer 11: 2 vulnerabilities (1 critical)
• Microsoft Edge: 14 vulnerabilities (11 critical)

Cumulative Updates/Rollups

• Cumulative Update for Windows 10 version 1709 to build 16299.248 (KB4074588): contains security updates to Microsoft Scripting Engine, Microsoft Edge, Internet Explorer, Microsoft Windows Search component, Windows Kernel, Windows Authentication, Device Guard, Common Log File System driver, and the Windows storage and file systems.
• Cumulative Update for Windwos 10 Version 1511 to build 10586.1417 (KB4074591) contains Security updates to Microsoft Edge, Internet Explorer, Microsoft Windows Search component, Windows Kernel, Device Guard, Windows storage and file systems, Common Log File System driver, and the Microsoft Scripting Engine.
• Cumulative Update for Windows 10 Version 1607 to build 14393.2068 (KB4074590) contains Security updates to Microsoft Edge, Internet Explorer, Adobe Flash Player, Microsoft Windows Search Component, Windows Kernel, Device Guard, Common Log File System Driver, and Windows storage and file systems.
• Cumulative Update for Windows 10 Version 1703 to build 15063.909 (KB4074592) contains Security updates to Microsoft Scripting Engine, Microsoft Edge, Internet Explorer, Microsoft Windows Search component, Windows Kernel, Device Guard, Windows storage and file systems, and the Common Log File System driver.
• Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2 (KB4074597) contains security updates to Windows Graphics, Windows Kernel, Common Log File System driver, Microsoft Windows Search component, and Windows storage and file systems.
• Security Only Quality Update for Windows 7 and Windows Server 2008 R2 (KB4074587) contains security updates to Windows Graphics, Windows Kernel, Common Log File System driver, Microsoft Windows Search component, and Windows storage and file systems.
• Cumulative security update for Internet Explorer (KB4074736)

Security updates for Windows XP Embedded and Windows Embedded 8 Standard were also released.

Critical vulnerabilities

Some of the most important critical vulnerabilities addressed by these updates include the following:

CVE-2018-0763 | Microsoft Edge Information Disclosure Vulnerability. This is an information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

CVE-2018-0825 | StructuredQuery Remote Code Execution Vulnerability. A remote code execution vulnerability exists in StructuredQuery when the software fails to properly handle objects in memory.

An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

CVE-2018-0834, 0835, 0837, 0838, 0840, 0856, 0857, 0859, 0860, 0861 | Scripting Engine Memory Corruption Vulnerability.  These are all remote code execution vulnerabilities that exist in the way that the scripting engine handles objects in memory in Microsoft Edge. The vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2018-0852 | Microsoft Outlook Memory Corruption Vulnerability This is a remote code execution vulnerability exists in Microsoft Outlook when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

CVE-2018-0858 | Scripting Engine Memory Corruption Vulnerability in ChakraCore This is a remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.

Summary

Those of us who attempt to summarize each month’s updates for readers continue to struggle since Microsoft discontinued the security bulletins that contained that information in easily accessed format and moved everything to the Security Update Guide portal that provides a deluge of unwieldy information. Thus we’re limited now in these articles to summarizing and discussing a selection of the large number of line items that appear in the Guide.

You can view or download the full Excel spreadsheet for all of the updates released on Patch Tuesday by entering the date range (February 13, 2018 to February 13, 2018) in the Guide interface. You can then sort and filter the data in different ways (although not, as far as I can tell, in a way that will provide us with anything close to the same formatted info as the gone-but-not-forgotten security bulletins).