The October 2018 Security Update Review

October is upon us and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.

Adobe Patches for October 2018

Adobe began the October patch cycle early by releasing an update for Acrobat and Reader back on October 1st. This mammoth update corrects 86 CVEs in total, 47 of which are listed as Critical by Adobe. A total of 14 of these bugs came through the ZDI program. The majority of Critical-rated bugs fall under the Out-Of-Bounds (OOB) write category. This release follows closely on the heels of the APSB18-34 release. Don’t let the greater bulletin number confuse you – APSB18-30 released October 1 while APSB18-34 went live on September 19. 

Today, Adobe released four additional patches for Flash, Framemaker, Adobe Digital Editions, and the Adobe Technical Communications Suite. The patch for Flash doesn’t actually correct any security issues – it only contains bugs fixes and performance enhancements. The Digital Editions patch corrects four Critical-rated and five Important-rated CVEs. The Critical bugs could allow remote code execution via either a heap overflow or a Use After Free (UAF). The patches for Framemaker and the Adobe Technical Communications Suite both address Important-rated insecure library loading bugs.

Microsoft Patches for October 2018 

Microsoft released 49 security patches and two advisories covering Internet Explorer (IE), Edge, ChakraCore, Hyper-V, Exchange, Windows components, .NET Core, SQL Server, and Microsoft Office and Office Services. Of the 49 CVEs, 12 are listed as Critical, 35 are rated Important, one is rated as Moderate, and one is rated Low in severity. A total of eight of these CVEs came through the ZDI program. Three of these bugs are listed as publicly known at the time of release and one of these is reported as being actively exploited.

Let’s take a closer look at some of the more interesting patches for this month, starting with the issue currently under active attack:

-       CVE-2018-8453 – Win32k Elevation of Privilege Vulnerability
This CVE covers a Win32K (kernel-mode drivers) elevation of privilege vulnerability listed as currently under active attack. Little information is provided about the active attacks, but considering the nature of the vulnerability and the credit to Kaspersky Labs for reporting it, this is most certainly being used by malware. Given that we haven’t heard of this prior to today, it’s also safe to say these attacks are limited in nature – for now. Malware uses kernel elevation bugs to go from user-mode to admin-mode, which allows them full control of a target system.

-       CVE-2018-8423 – Microsoft JET Database Engine Remote Code Execution Vulnerability
We initially disclosed this vulnerability after it exceeded its 120-day timeline, and a patch addressing it is now available. Interestingly, this patch is listed as Important while two JET Database patches last month were listed as Critical despite have similar sounding descriptions. While last month’s issues dealt with Excel files, this bug can be reached by loading a specially crafted Microsoft JET Database Engine file. While we aren’t aware of active attacks using this bug, we still recommend putting this patch near the top of your test and deployment list. 

-       CVE-2010-3190 – MFC Insecure Library Loading Vulnerability 
That’s no typo – this patch addresses a bug first disclosed back in 2010 with Advisory 2269637. Often referred to as “binary planting” or “DLL preloading attacks,” this class of bugs has received close to 30 bulletins in total to fix various components. This month, Microsoft identified Exchange Server as another component that requires similar DLL preloading protections. If you have a version of Exchange prior to Exchange Server 2016 Cumulative Update 11, you’ll also need the Visual Studio 2010 patch from MS11-025. This patch accompanies two command injection fixes impacting Exchange this month, which means another rough month of testing and patching for Exchange admins.

-       CVE-2018-8492 – Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
This patch corrects a vulnerability that could allow an attacker to inject malicious code into a Windows PowerShell session. This may not seem too bad on the surface, but it’s just the type of thing used by fileless malware. Malicious PowerShell scripts are commonly used in these types of attacks and have previously been detailed by Trend Micro researchers. Any file changes to make these types of attacks harder is certainly welcome.

 Here’s the full list of CVEs released by Microsoft for October 2018.

While this month is slightly smaller than the last few releases, browser bugs and remote code execution (RCE) bugs still dominate the release. Of the 49 patches, 18 are listed as RCE while 12 affect browsers. One of the browser related bugs is listed as Low-severity, which is odd since the description is identical to other, higher rated vulnerabilities. There also seems to be a renewed interest in networking protocols, as both the DNS service and TCP/IP stack receive updates this month. Virtualization also continues to see interest with two Guest-to-Host elevations fixed by patches for Hyper-V. Office components are well represented in this release with updates for Excel, Word, PowerPoint, graphics components, and SharePoint amongst the October patches.

Similar to the bug under active attack, a dozen different elevation of privilege (EoP) bugs are fixed in this release. Normally, these bugs require an attacker to log on to a system and execute code to elevate privileges. However, CVE-2018-8333 turns that on its head a bit. In this instance, an attacker would need to log on to a target system and delete a specially crafted file rather than execute specially crafted code. The Linux-on-Windows subsystem also receives a patch for an EoP, but this one has the more traditional exploit vector.

Multiple Windows components receive patches this month, including additional kernel fixes. There are also updates for the Windows graphics components, media player, XML core services, and the Windows shell. There’s also a patch for the Azure IoT Device Client SDK, which allows developers to build apps that run on IoT devices. The RCE bug fixed here is the final one listed as publicly known for this release. It’s also interesting to see IoT bugs get patched, as these may reveal techniques that could be used in the IoT category of the upcoming Pwn2Own Tokyo. 

Finally, there is one advisory to cover this month. It provides defense-in-depth enhancements for Office. It’s unclear what these enhancements entail or why they couldn’t be included in one of the other Office patches.

Looking Ahead

The next patch Tuesday falls on November 13, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!