September 2018 – Microsoft Patch Tuesday

Although summer isn’t officially over until later this month, it might as well be autumn already where I live. School has started, the swallows that nest in our eaves have left for South America, the weather has grown slightly cooler (and rainier), and the Atlantic is full of hurricanes (which I narrowly avoided by cruising the Caribbean last week instead of this week).

In the IT security world, though, it really doesn’t matter whether it’s summer, fall, winter or spring. ‘Tis always the season to be vigilant, since neither snow nor rain nor gloom of night keeps the hackers and attackers from their nefarious duties.

We’ve already had a number of new vulnerabilities in the news since last month, including a new Zero Day issue that affects current versions of Windows, which was disclosed via Twitter and GitHub and has already been exploited to attack computers in multiple countries.

There’s also some good news: ZDNet reported that Microsoft had released information about how the company classifies, prioritizes, and handles security vulnerabilities that will be useful to security researchers, IT admins, users, and the media in understanding the vulnerability categories Microsoft uses and how they go about assigning severity ratings.

Some businesses will be happy to hear that when Windows 7 reaches the end of support at the beginning of 2020, Microsoft is going to allow them to continue getting security updates. The catch? It will be a per-device “for pay” service. This applies to customers who use Volume Licensing, so don’t get too excited if you’re using the consumer versions.

Meanwhile, earlier this month, Microsoft released Windows 10 Preview Build 17755 (for the October 2018 major update) to participants in the Windows Insider program. It fixes some known issues but doesn’t contain any major security improvements over its immediate predecessor.

It’s been a busy month (already) in the security arena, and it’s only the second Tuesday, but since it is, now let’s get back to the September patch news:

On September 11, Microsoft released a total of 127 updates that fix security issues with the following software products and services:

• All currently supported versions of Windows (7, 8.1, 10 and Server 2008 R2, 2012 R2 and 2016)
• Both currently supported web browsers (Internet Explorer 11 and Edge)
• Microsoft Office
• The .NET framework
• Adobe Flash Player for Windows

As always, the Malicious Software Removal Tool (MSRT) is updated to include the latest malware definitions.

Security Advisories

The following security advisory was released on Patch Tuesday this month:

• ADV180023 Adobe Flash Security Update This is the usual advisory for Adobe’s monthly patch, which points you to Adobe’s own Security Bulletin APSB18-31. It applies to Flash on Windows 8.1 and 10 and Server 2012, 2012 R2, and 2016, and addresses what Microsoft’s Advisory describes as a critical remote code execution vulnerability, whereas the Adobe bulletin describes it as a priority 2 privilege escalation/information disclosure vulnerability rating important. This is a bit confusing, and I’ll be attempting to resolve the discrepancy.

Operating system, OS components, and web browser updates

We’re looking at 18 to 29 vulnerabilities in Windows client, depending on the OS version. Windows 10 1803 has the largest number of vulnerabilities – 24 rated important and five rated critical.  A similar number of vulnerabilities affect the Windows Server operating systems, with five critical and 20 important in Server 2016.

Microsoft Edge has 13 vulnerabilities patched this time, and 7 of those are critical. IE 11 comes in with under half as many: 6 total vulnerabilities, 3 of which are critical.

The following updates to the Windows operating systems were released on September 11:

• KB4457144 – Sept monthly rollup for Windows 7. This includes Security updates to Windows media, Windows Shell, Windows Hyper-V, Windows kernel, Windows datacenter networking, Windows virtualization and kernel, Microsoft JET Database Engine, Windows MSXML, and Windows Server.
• KB4457129 – Sept monthly rollup for Windows 8.1. This includes security fixes for the same Windows components listed above.
• KB4457138 – Sept cumulative update for Windows 10 version 1703. This includes Security updates to Internet Explorer, Microsoft Edge, Microsoft scripting engine, Microsoft Graphics Component, Windows media, Windows Shell, Device Guard, Windows datacenter networking, Windows kernel, Windows Hyper-V, Windows virtualization and kernel, Microsoft JET Database Engine, Windows MSXM, and Windows Server.
• KB4457142 – Sept cumulative update for Windows 10 version 1709. This includes Security updates to Internet Explorer, Microsoft Edge, Microsoft scripting engine, Windows graphics, Windows media, Windows Shell, Windows cryptography, Windows virtualization and kernel, Windows datacenter networking, Windows Hyper-V, Windows Linux, Windows kernel, Microsoft JET Database Engine, Windows MSXML, and Windows Server.
• KB4457128 – Sept cumulative update for Windows 10 version 1803. This includes protection against a Spectre Variant 2 vulnerability (CVE-2017-5715) for ARM64 devices. It also addresses an issue that causes the Program Compatibility Assistant (PCA) service to have excessive CPU usage. This occurs when the concurrency of two simultaneous add and remove programs (ARP) monitoring threads is not handled correctly. And finally, it includes security updates to Internet Explorer, Microsoft Edge, Microsoft scripting engine, Microsoft Graphics Component, Windows media, Windows Shell, Windows Hyper-V, Windows datacenter networking, Windows virtualization and kernel, Windows Linux, Windows kernel, Microsoft JET Database Engine, Windows MSXML, and Windows Server.
• KB4457131 – Windows Server 2016 cumulative update (Requires Servicing Stack Update KB4132216). This includes security updates to Internet Explorer, Microsoft Edge, Microsoft scripting engine, Microsoft Graphics Component, Windows media, Windows Shell, Device Guard, Windows Hyper-V, Windows datacenter networking, Windows kernel, Windows virtualization and kernel, Microsoft JET Database Engine, Windows MSXML, and Windows Server.

The following updates for the Microsoft web browsers were released on September 11:

• KB4457426 – Internet Explorer 11 cumulative update. This security update resolves several reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage in Internet Explorer.

Updates to Microsoft Edge are included in the Windows 10 rollups.

Microsoft Office updates

Updates were released for Office 2010 and 2013, the Microsoft Office Compatibility Pack SP3, Excel Viewer 2007, SharePoint Enterprise Server 2013 and 2016, and SharePoint Server 2010. This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file.

Other software/services

Security updates were also released on September 11 for the .NET Framework versions 3.5 through 4.7.2 running on Windows Client and Server operating systems and Windows Embedded. This security update resolves a vulnerability in Microsoft .NET Framework that could allow remote code execution when .NET Framework processes untrusted input. An attacker who successfully exploits this vulnerability in software by using .NET Framework could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts that have full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

Critical vulnerabilities

The following are some of the critical vulnerabilities addressed by this month’s updates:

CVE-2018-0965 – Windows Hyper-V Remote Code Execution Vulnerability. This is one of the most critical of this month’s batch of vulnerabilities. When Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code. An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system. This affects Windows 10 and Server 2016, as well server component in versions 1709 and 1803.

CVE-2018-8332 – Win32k Graphics Remote Code Execution Vulnerability. A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

CVE-2018-8367 – Chakra Scripting Engine Memory Corruption Vulnerability. A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2018-8420 – MS XML Remote Code Execution Vulnerability. A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the user’s system. To exploit the vulnerability, an attacker could host a specially crafted website designed to invoke MSXML through a web browser. However, an attacker would have no way to force a user to visit such a website. Instead, an attacker would typically have to convince a user to either click a link in an email message or instant message that would then take the user to the website. When Internet Explorer parses the XML content, an attacker could run malicious code remotely to take control of the user’s system.

CVE-2018-8421 – .NET Framework Remote Code Execution Vulnerability. A remote code execution vulnerability exists when Microsoft .NET Framework processes untrusted input. An attacker who successfully exploited this vulnerability in software using the .NET framework could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.