After time off in April, 0-days have returned with a small bang in May’s Patch Tuesday from Microsoft.
The loudest is a remote code execution vulnerability in the Windows VBScript Engine affecting all versions of Windows, first spotted being exploited by nation state cybercriminals three weeks ago by Chinese security firm Qihoo 360.
Dubbed ‘Double Kill’ (CVE-2018-8174), it can be deployed in a number of ways, including by luring an Internet Explorer user to a malicious website with embedded VBScript, using an ActiveX control marked ‘safe for initialization’, or via a malicious RTF file in an Office document.
Any one of these scenarios gives attackers control over the victim’s computer for data theft, eavesdropping or deploying ransomware, Microsoft said, hence the need to apply a patch as a high priority.
The next 0-day is CVE-2018-8120, an elevation-of-privilege vulnerability in the Win32k subsystem of Windows 7 32/64-bit and Windows Server 2008 R2.
An attacker would need to be logged into the target already in order to exploit the flaw, which is why it’s listed as ‘important’ rather than critical.
Microsoft hasn’t said how it’s being exploited, but having this kind of vulnerability to hand is gold for cybercriminals, which is why it should also be on the immediate fix list for anyone running Windows 7.
Two others worth mentioning are CVE-2018-8141, a kernel information disclosure flaw affecting Windows 10 1709, and CVE-2018-8170, an elevation of privilege vulnerability in Windows 1709 and 1703 32-bit.
Both are marked important rather than critical but information about them is said to be in the public domain without exploits having been detected.
The best of the rest
Microsoft’s May vulnerability count reaches 68 CVEs, 21 of which are rated critical, 45 important, and only two low impact.
Of the remaining marked ‘critical’, a strong browser theme is apparent with an assorted dozen scripting engine memory corruption browser flaws affecting Edge and Internet Explorer, plus four more affecting Edge’s Chakra JavaScript engine.
Hyper-V is also patched for CVE-2018-0959 and CVE-2018-0961, while CVE-2018-0961 looks after the RCE in Windows Host Compute Service Shim.
Microsoft’s site offers plenty of detail on these vulnerabilities by platform and product but you’ll find a quicker-to-digest summary here.
Still fixing Flash
It’s not just Microsoft who is issuing patches – Adobe has fixed five CVEs.
One worth underlining is a critical fix for Flash Player (CVE-2018-4944) affecting all platforms including Windows 10 (Edge) and 8.1 and Server 2012/R2 (IE). The vulnerable version is 29.0.0.140, which requires an update to 29.0.0.171.
Flash is on its way out, but it’s likely that plenty of systems still have it installed and running for one reason or another, which is why we mark it for special attention.
Kyle
You might not want to mass deploy this patch, i think its uninstalling the NIC’s on client computers. Proceed with caution!