SophosLabs Uncut
Threat Research

Microsoft’s September patches fix a raft of serious bugs

Updates for Windows and Mac users resolve more than five dozen software vulnerabilities

By Andrew Brandt

Microsoft last week addressed 62 different vulnerabilities in its monthly round of updates for Windows, Office, and other software, 17 of which the company classified as critical. Affected products span Microsoft’s software catalogue, including Office applications for Mac and Windows, developer tools, the .net platform, four major browser releases (Internet Explorer 9 through 11 and Edge), and Desktop and Server operating systems.

Among these updates deemed most critical, Microsoft reports that at least four of the vulnerabilities were publicly disclosed prior to the update’s release (the critical classified CVE-2018-8457 and CVE-2018-8475, the actively exploited CVE-2018-8440, and the annoying-but-disruptive CVE-2018-8409), which makes the exploitation of those vulnerabilities much more likely (or already happening).

In addition, some of the vulnerabilities only require a victim to do something as simple as download an image, or open a specially crafted Office document file, in order for the attacker to successfully run arbitrary commands on the victim’s machine. While these vulnerabilities may not have been disclosed prior to the update’s release (and, in fact, several of the discoveries came from internal teams within Microsoft), it’s a safe bet that exploit developers are furiously working towards building them now, so they won’t remain a hypothetical risk for long.

Internet Explorer and Edge

If you’re using any version of Windows that currently receives updates (Windows 7 or later), then you probably have a browser on your PC affected by these patches. It’s not really much of a surprise that older browsers may need some updates, but this month’s patches also target Edge, Microsoft’s totally-redesigned browser that supplants IE, but may also be installed along with IE on some systems.

Some of the Edge-specific vulnerabilities originate in the scripting system (called Chakra) that Microsoft created specifically to address scripting vulnerabilities in IE. The available patches not only update Edge, but also will update Chakra development tools, if you have them installed.

Other weaknesses include memory corruption bugs in Internet Explorer, in some cases affecting versions going back to IE 9 for the decade-old Windows Server 2008. While this seems like a bit of an edge-case, there are still lots of machines running these older operating systems in a wide variety of business environments, including (as observed last week by a labs employee) on the computers for employee use on the showroom floor of at least one well known retailer in the US.

Bugs like this memory corruption vulnerability only require the user to accidentally click a link to a malicious website, or even just browse a site that could serve malvertising. While Microsoft says that (to its knowledge) these vulnerabilities haven’t been exploited yet, it’s probably only a matter of time.

Microsoft Office and the fonts

The most serious of the bugs affecting Office users is CVE-2018-8332, otherwise known as the Win32k Graphics Remote Code Execution Vulnerability, wherein a library common to all supported versions of Windows (and that’s also present in Office 2016 for Mac) renders unpatched machines vulnerable to an exploit in which a weaponized Office document contains a specially-crafted embedded font.

If the user of an unpatched computer were to try to open or preview the maldoc, the vulnerability allows the attacker to, in Microsoft’s words, “take control of the affected system,” though there are no specific details explaining how that might happen. The company does add that users with more restrictive permissions are less likely to suffer the worst effects of this vulnerability should it be exploited in the future.

The update for this bug appears in the Monthly Rollup patch packages.

Flash updated, and the FragmentSmack DoS appears

Aside from the critical patches, it’s worth mentioning that Adobe has released an update to the Flash player browser plugin for all browsers and operating systems. The vulnerability this update fixes, involving an information disclosure, is not considered critical but may affect a large number of users, since the plugin is so widely distributed.

In addition, Microsoft published an advisory warning Windows users that they’re also vulnerable to a bug in the Windows network stack that can be used to create a denial-of-service situation. The bug, known informally as FragmentSmack (and officially designated as CVE-2018-5391), affects both Linux and Windows systems and can result in a targeted system’s CPU getting pegged at 100% and the machine becoming unresponsive.

Microsoft published a workaround to FragmentSmack that prevents the situation that causes the DoS from arising, but implementing the changes to block the DoS may also slow down some unstable Internet connections. Administrators should take this into consideration before implementing the workaround; It should only be done where necessary.

Getting updates quicker

The company’s Cumulative Update releases, which bundle together patches that address a number of issues into a single, somewhat large installer, will fix the majority of these (and many more less-severe) bugs. These Cumulative update packages are larger than most because they contain a comprehensive set of updates for packages that may have been patched earlier in other update releases.

But if you’re like some of us in the lab, you may not receive Automatic Updates right away, because of the way Microsoft staggers the release of updates for some users. In those cases, you can (and probably should) make the effort to download and install manually at least the updates that address the critical bugs from the Microsoft Update Catalogue website.

If you plan to download your own updates, and you don’t want to wait for the Windows Update mechanism to decide you deserve a patch, you’ll need to know which version of Windows you’re running, and whether it’s a 32-bit or 64-bit operating system. Click the Start menu and type Run (or hold the Windows key down while pressing the R key), enter winver.exe into the Run dialog box, and take note of the build number you’re running. If you don’t know whether you have a 32-bit (x86) or 64-bit (x64) operating system, right-click My Computer and choose Properties to find out.

Once you know which build and version of Windows you’re using, you can search the Microsoft Update Catalog website, or filter this spreadsheet of September Microsoft update releases, to find the patches you need to install.

Sophos vulnerability protection

While Intercept X doesn’t have any updates targeting the exploitation of vulnerabilities fixed by these updates, that’s to be expected because its protection is centered around the malicious behavior and not the specific exploit methods employed by criminals.

Sophos has released IDS signatures for the Firewall to block the network-based threats described in some of the vulnerability disclosures. The following chart lists the specific SIDs that are tied to individual vulnerability designators.

CVE Detection
CVE-2018-8367 sid:2200888
CVE-2018-8391 sid:2200887
CVE-2018-8420 sid:2200886
CVE-2018-8447 sid:2200889
CVE-2018-8456 sid:2200885
CVE-2018-8459 sid:9000751
CVE-2018-8461 sid:9000752
CVE-2018-8464 sid:9000753
CVE-2018-8466 sid:9000754
CVE-2018-8467 sid:9000755

 

SophosLabs thanks researchers Andrew O’Donnell, Jason Zhang, and Mukesh Kumar for their contribution to this report.