June 2018 – Microsoft Patch Tuesday

Here in Texas, although summer doesn’t “officially” arrive until later in the month, it certainly feels like summertime with temperatures in the 90s every day. We are “walking in sunshine” here on the lake. As they say, when you’re hot,  you’re hot.

And of course, security never ceases to be a hot topic. June headlines include reports that three fourths of U.S. federal agencies are facing cybersecurity risk challenges, that nearly half of healthcare executives say cybersecurity challenges are creating merger and acquisition headaches, and that Facebook – which doesn’t seem to be able to stay out of the news in a negative light lately – gave access to data on users and their friends to 60 device makers.

Meanwhile, the major software vendors are playing their usual game of trying to stay a step ahead of the hackers and attackers by discovering and fixing vulnerabilities before the bad guys can exploit them. Microsoft seems to be doing a decent job of that this month, as none of the vulnerabilities covered by the June patches has been reported to be exploited in the wild.

Those vulnerabilities include bugs in Windows, the IE and Edge web browsers, SharePoint Server, and Office Web Apps Server. Some affected Windows components include the Device Guard feature in Windows 10 and Server 2016, Hyper-V, NTFS, the HID parser library, the Microsoft Scripting Engine, Windows Shell, and the Windows kernel.

The fourth variant of the Spectre flaw in processors was also patched in this month’s slate of patches, and the updates will change some settings to mitigate Spectre variant 2 and Meltdown, as well.

In total, the June patches address 50 vulnerabilities. Let’s take a closer look at some of the security update summaries. Only one of these, a remote code execution issue in the Jcript component, had been publicly disclosed.

Important Note: There are manual actions that you might need to complete in order to be fully protected after installing the SharePoint updates and the Windows updates for Spectre/Meltdown. These are shown in the table in the Release Notes for the June 2018 Security Updates, at https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/7d4489d6-573f-e811-a96f-000d3a33c573

Security Advisories

The following security advisories were released on Patch Tuesday this month:

Security Advisory ADV180014, Adobe Flash Security Update that addresses vulnerabilities in Adobe Flash Player running on Windows 8.1, RT 8.1, Windows 10, and Server 2012, 2012 R2, and 2016. This was the out of band patch released by Adobe on June 7 and rated priority one.  It fixes four vulnerabilities, two of them critical arbitrary code execution issues and two that are important information disclosure vulnerabilities. Details are in Adobe Security Bulletin APSB18-19.

Security Advisory ADV180015, Microsoft Defense in Depth Update for Microsoft Office that improves memory handling of Office applications that render Office Art. Affected products are Office 2010 and 2013, Office Web Apps Server 2010 and 2013, Word Automation Services and Excel Services.

Security Advisory KB4338110, is Microsoft’s “improved guidance on the use of Cipher-Block-Chaining (CBC) mode with symmetric encryption. This is to help devs avoid a “padding oracle” security feature bypass vulnerability in their apps, which could allow attackers to decrypt encrypted data (both at rest and in transit) without the encryption key.

Products Updated on Patch Tuesday

Here is the “quick and dirty” rundown of the vulnerabilities that were patched in the operating systems and web browsers:

• Windows 7: 9 vulnerabilities
• Windows 8.1: 8 vulnerabilities
• Windows 10 version 1607: 25 vulnerabilities
• Windows 10 version 1703: 25 vulnerabilities
• Windows 10 version 1709: 27 vulnerabilities
• Windows 10 version 1803: 26 vulnerabilities
• Windows Server 2008 R2: 9 vulnerabilities
• Windows Server 2012 and 2012 R2: 8 vulnerabilities
• Windows Server 2016: 24 vulnerabilities
• Internet Explorer 11: 4 vulnerabilities
• Microsoft Edge: 7 vulnerabilities

The good news is that the majority of the vulnerabilities are rated important, but all products have at least two critical vulnerabilities.

Operating system and web browser security updates

• Cumulative updates/monthly rollups were released for Windows 7 SP1 and Windows 8.1 and 8.1 SP1.
• Cumulative updates were released for Windows 10 versions 1607, 1703, 1709, and 1803.
• Cumulative updates were release for Windows Server 2016.
• Updates were released to address security vulnerabilities in Windows Server 2008 and Windows Server 2012. These include fixes for RDP DoS, remote code execution, kernel information disclosure vulnerability, and HID Parser elevation of privilege vulnerability.

Security updates for Windows XP Embedded were also released.

Microsoft Office security updates

Updates were released for Office 2010, 2013 and 2016. These address vulnerabilities that include remote code execution vulnerabilities and other security issues in Office, Excel, Publisher and Outlook.

Critical vulnerabilities

Some of the most important critical vulnerabilities addressed by these updates include the following:

• CVE-2018-8243 | Scripting Engine Memory Corruption Vulnerability. A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. 
• CVE-2018-8249 | Internet Explorer Memory Corruption Vulnerability. A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. 
• CVE-2018-8251 | Media Foundation Memory Corruption Vulnerability. A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights.
• CVE-2018-8225 | Windows DNSAPI Remote Code Execution Vulnerability. A remote code execution vulnerability exists in Windows Domain Name System (DNS) DNSAPI.dll when it fails to properly handle DNS responses. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account.
• CVE-2018-8229 | Chakra Scripting Engine Memory Corruption Vulnerability. A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.
• CVE-2018-8236 | Microsoft Edge Memory Corruption Vulnerability. A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.
• CVE-2018-8249 | Internet Explorer Memory Corruption Vulnerability. A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.
• CVE-2018-8267 | Scripting Engine Memory Corruption Vulnerability. A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.

Note that this list does not include all of the critical vulnerabilities that are addressed by the June patches.