The May 2018 Security Update Review
May 08, 2018 | Dustin Childs
May has arrived and brought with it the latest patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for May’s security updates.
Adobe Patches for May 2018
For May, Adobe released three patches addressing a total of five CVEs in Adobe Flash, Adobe Connect, and the Adobe Creative Cloud Desktop Application. Base on install base alone, the Adobe Flash update should be the highest priority. The lone CVE fixed by this patch could allow remote code execution through a type confusion bug. The Creative Cloud patch fixes one Critical- and two Important-rated bugs. For this bulletin, direct code execution is not possible. Instead, Adobe corrects a security bypass and two privilege escalations. The final patch for Adobe Connect corrects an Important-severity information disclosure. None of these bugs are listed as being under active attack or publicly known at the time of release.
Microsoft Patches for May 2018
Microsoft released 68 security patches for May covering Internet Explorer (IE), Edge, ChakraCore, Hyper-V Server, Windows, Visual Studio, Microsoft Office and Office Services and Web Apps, and the Azure IoT SDK. Of these 68 CVEs, 21 are listed as Critical, 45 are rated Important, and two listed as Low in severity. Eleven of these CVEs came through the ZDI program. Two of these bugs are listed as being under active attack, and two more are listed as publicly known at the time of release.
Let’s take a closer look at some of the more interesting patches for this month, starting with the bugs currently being exploited publicly.
- CVE-2018-8174 – Windows VBScript Engine Remote Code Execution Vulnerability
Priority for this month has to be given to the two bugs under active attack, and this is clearly the more severe of those two. This vulnerability resides in the VBScript Engine, but the attack scenario is similar to browser bugs. A user need only to visit a malicious website to have attacker-control code execute on their machine. This bug is also strikingly similar to CVE-2018-1004, which was patched last month after being submitted to the ZDI program. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine. In my blog last month, I stated, “These vectors make this bug more appealing than a browser bug since the attack surface is broader.” With active attacks currently circulating in a similar bug, I hope I didn’t give anyone ideas.
- CVE-2018-8120 – Win32k Elevation of Privilege Vulnerability This is the second bug listed as under attack for this month. It has been reported that this vulnerability is actively being used by malware, although it’s not clear how widespread that malware actually is. The bug itself is just one of seven Kernel EoPs being patched this month. Any of these bugs are targets malware authors could use in future attacks.
- CVE-2018-0959 – Hyper-V Remote Code Execution Vulnerability
- CVE-2018-0961 – Hyper-V vSMB Remote Code Execution Vulnerability
I combined these two patches since they share the same attack scenario and result. While the root cause for these bugs are different, both could allow an attacker on a guest OS to elevate privileges and execute their code on the underlying hypervisor OS just by running a specially crafted program from the guest OS. It’s too bad neither of these bugs made an appearance at this year’s Pwn2Own, where a successful demonstration could have earned $150,000. Of the two, CVE-2019-0961 seems more interesting due to the vSMB vector used. It will be interesting to see if more research develops in this area.
- CVE-2018-8119 – Azure IoT SDK Spoofing Vulnerability
The security patch process of IoT devices has been questioned during the unstoppable spread of IoT devices around the world. This patch doesn’t provide all the answers, but it is interesting to see. The vulnerability here requires an attacker to be in a position to intercept communications between a provisioning server and an IoT device. If they can get to this man-in-the-middle (MitM) position, an attacker could impersonate a server used during the provisioning process to disclose sensitive data from the IoT devices connected to that server. It’s not the most exciting of vulnerabilities, but it does show the beginnings of patch management of IoT systems. Now if we could just figure out how to automatically update a thermostat or refrigerator, we’ll be all set.
Here’s the full list of CVEs released by Microsoft for May 2018.
| CVE | Title | Severity | Public | Exploited | XI - Latest | XI - Older |
| CVE-2018-8174 | Windows VBScript Engine Remote Code Execution Vulnerability | Critical | No | Yes | 0 | 0 |
| CVE-2018-8120 | Win32k Elevation of Privilege Vulnerability | Important | No | Yes | N/A | 0 |
| CVE-2018-8170 | Windows Image Elevation of Privilege Vulnerability | Important | Yes | No | 1 | 1 |
| CVE-2018-8141 | Windows Kernel Information Disclosure Vulnerability | Important | Yes | No | N/A | 2 |
| CVE-2018-8115 | Windows Host Compute Service Shim Remote Code Execution Vulnerability | Critical | No | No | 3 | 3 |
| CVE-2018-0943 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2018-0945 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2018-0946 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2018-0951 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2018-0953 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2018-0954 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2018-0955 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2018-0959 | Hyper-V Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 |
| CVE-2018-0961 | Hyper-V vSMB Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 |
| CVE-2018-1022 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2018-8114 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2018-8122 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | 1 |
| CVE-2018-8128 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2018-8130 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2018-8133 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2018-8137 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2018-8139 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2018-8177 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 2 | N/A |
| CVE-2018-8178 | Microsoft Browser Memory Corruption Vulnerability | Critical | No | No | 1 | N/A |
| CVE-2018-8142 | Windows Security Feature Bypass Vulnerability | Important | No | No | 3 | N/A |
| CVE-2018-0765 | .NET and .NET Core Denial Of Service Vulnerability | Important | No | No | 3 | 3 |
| CVE-2018-0824 | Microsoft COM for Windows Remote Code Execution Vulnerability | Important | No | No | 2 | 2 |
| CVE-2018-0854 | Windows Security Feature Bypass Vulnerability | Important | No | No | 3 | 3 |
| CVE-2018-0958 | Windows Security Feature Bypass Vulnerability | Important | No | No | 2 | 2 |
| CVE-2018-1021 | Microsoft Edge Information Disclosure Vulnerability | Important | No | No | 1 | N/A |
| CVE-2018-1025 | Microsoft Browser Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-1039 | .NET Framework Device Guard Security Feature Bypass Vulnerability | Important | No | No | 2 | 2 |
| CVE-2018-8112 | Microsoft Edge Security Feature Bypass Vulnerability | Important | No | No | 1 | N/A |
| CVE-2018-8119 | Azure IoT SDK Spoofing Vulnerability | Important | No | No | 3 | N/A |
| CVE-2018-8123 | Microsoft Edge Memory Corruption Vulnerability | Important | No | No | 1 | N/A |
| CVE-2018-8124 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-8126 | Internet Explorer Security Feature Bypass Vulnerability | Important | No | No | 2 | 2 |
| CVE-2018-8127 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-8129 | Windows Security Feature Bypass Vulnerability | Important | No | No | 2 | 2 |
| CVE-2018-8132 | Windows Security Feature Bypass Vulnerability | Important | No | No | 2 | 2 |
| CVE-2018-8134 | Windows Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-8145 | Chakra Scripting Engine Memory Corruption Vulnerability | Important | No | No | 3 | N/A |
| CVE-2018-8147 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-8148 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-8149 | Microsoft SharePoint Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 |
| CVE-2018-8150 | Microsoft Outlook Security Feature Bypass Vulnerability | Important | No | No | 2 | 2 |
| CVE-2018-8151 | Microsoft Exchange Memory Corruption Vulnerability | Important | No | No | 2 | 2 |
| CVE-2018-8152 | Microsoft Exchange Server Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 |
| CVE-2018-8154 | Microsoft Exchange Memory Corruption Vulnerability | Important | No | No | 2 | 2 |
| CVE-2018-8155 | Microsoft SharePoint Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 |
| CVE-2018-8156 | Microsoft SharePoint Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 |
| CVE-2018-8157 | Microsoft Office Remote Code Execution Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-8158 | Microsoft Office Remote Code Execution Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-8159 | Microsoft Exchange Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 |
| CVE-2018-8160 | Microsoft Outlook Information Disclosure Vulnerability | Important | No | No | N/A | 2 |
| CVE-2018-8161 | Microsoft Office Remote Code Execution Vulnerability | Important | No | No | 2 | 2 |
| CVE-2018-8162 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-8163 | Microsoft Excel Information Disclosure Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-8164 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-8165 | DirectX Graphics Kernel Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-8166 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-8167 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 |
| CVE-2018-8168 | Microsoft SharePoint Elevation of Privilege Vulnerability | Important | No | No | N/A | 2 |
| CVE-2018-8173 | Microsoft InfoPath Remote Code Execution Vulnerability | Important | No | No | 2 | 2 |
| CVE-2018-8179 | Microsoft Edge Memory Corruption Vulnerability | Important | No | No | 1 | N/A |
| CVE-2018-8897 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 3 | 3 |
| CVE-2018-8136 | Windows Remote Code Execution Vulnerability | Low | No | No | 2 | 2 |
| CVE-2018-8153 | Microsoft Exchange Spoofing Vulnerability | Low | No | No | 2 | 2 |
As for the rest of the release, browser bugs are again in the spotlight with 17 Critical- and seven Important- rated browser vulnerabilities patched this month. The Critical bugs allow remote code execution, while the Important bugs are a mix of info disclosure and security feature bypasses. There are also quite a few Office-related patches for May, with the most important being those for Outlook and SharePoint. There’s also an update from Exchange to prevent a command injection attack, although the exploit scenario here involves some social engineering, as well. The .NET Framework has a couple of Important-severity patches, but neither involves code execution. Finally, Windows itself gets its share of patches with kernel updates, a DirectX patch, and some security featured bypasses.
Microsoft also released a patch last week for a Windows Host Compute Service Shim remote code execution bug. However, the vulnerability wasn’t listed as public or under active attack, and while rated Critical, the bug carries an XI of 3 (unlikely to be exploited). It seems odd Microsoft would release this lone patch a week early. Perhaps they were aware of imminent exploitation. Regardless, don’t let this one escape your attention.
This month’s release also contains two oddities – Low-severity patches. The first is an Exchange spoofing vulnerability that could allow an XSS on OWA. Since user interaction is required, the severity gets knocked down. The second is ominously labelled “Windows Remote Code Execution Vulnerability,” but it requires the attacker to already be an authenticated domain user. It’s easy to see why these were lowered in severity rating, and kudos to Microsoft for fixing them regardless.
Finally, Microsoft also released their version of the aforementioned Adobe patch for Flash in Internet Explorer.
Looking Ahead
The next patch Tuesday falls on June 12, and we’ll return with details and patch analysis then. Follow us on Twitter to see the latest and greatest coming from the ZDI program. Until then, happy patching and may all your reboots be smooth and clean!