By SophosLabs Offensive Security Research
After last week’s out of bound patch for Adobe Flash Player, which fixed two vulnerabilities, Microsoft released their monthly security updates for December on Tuesday. This month’s fixes address 38 vulnerabilities that affect Windows and a range of software that runs on Windows, including the IE and Edge browsers, the .NET framework, Microsoft Office applications such as Excel, Word, PowerPoint and Outlook and a few Windows Server services. In addition, there were patches released for two critical vulnerabilities in Adobe Flash, and for 85 vulnerabilities in Adobe Reader.
Among the 38 vulnerabilities in Microsoft products, 9 are categorized by Microsoft as critical and the rest important this month. About half of the critical vulnerabilities allow an attacker to execute remote code on the targeted system, while a handful can be used to elevate privileges on the infected machine. Through a successful social engineering attack (either with a malicious website or Office documents), an external attacker could fully compromise a targeted user’s machine.
All nine critical vulnerabilities are related to remote code execution; six are for Edge, one for Internet Explorer, one remote code injection in .NET, and one affects the Windows DNS Server. One of the Flash Player vulnerabilities (CVE-2018-15982) and one elevation of privilege vulnerability in the Windows NT kernel (CVE-2018-8611) have been observed in the wild, which makes them a must-patch.
Let’s have a closer look at some of the interesting vulnerabilities.
CVE-2018-15982 Adobe Flash Player Use After Free Remote Code Execution Vulnerability
In the TVSDK library, it is possible to get a dangling pointer that references an old and unused memory region. A subsequent allocation could overlap on that old memory region which could lead to a use after free vulnerability. The resulting type mismatch between the dangling pointer and the new allocation could lead a remote attacker to gain remote code execution. This vulnerability has been exploited in the wild.
CVE-2018-8611 Windows Kernel Elevation of Privilege Vulnerability
The NT kernel on 64-bit Windows 7 fails to handle some specific objects in memory that could be overwritten with arbitrary data. An attacker with code execution on the machine whether is local or remote through another exploit, could run a specially crafted application that would trigger the vulnerability to elevate the privilege to System. This vulnerability has been exploited in the wild.
CVE-2018-8583, CVE-2018-8617, CVE-2018-8618, CVE-2018-8624, CVE-2018-8626, CVE-2018-8629 Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2018-8634 Microsoft Text-To-Speech Remote Code Execution Vulnerability
CVE-2018-8631 Internet Explorer Memory Corruption Vulnerability
CVE-2018-8626 Windows DNS Server Heap Overflow Vulnerability
The Domain Name System (DNS) server on Windows 10, or in Windows Server 2012, 2016, 2019, or Server Core does not handle remote requests properly. All it takes for a remote attacker to run arbitrary code in the context of the highly privileged Local System account, and take full control of the machine, is to send it a properly crafted DNS request. Ouch.
How is Sophos responding to these threats?
Here is a list of protection released by SophosLabs in response to this advisory to complement any existing protection and generic exploit mitigation capabilities in our products.
N/V = Not Validated. The PoC code provided with MAPP advisories does not include active exploits and as such is not applicable to Intercept X testing. The Intercept-X ability to block the exploit depends on actual exploit weaponization approach which we won’t see until it’s spotted in the wild. The SAV and IPS detections developed for the PoCs do not guarantee interception of in-the-wild attacks.
How long does it take to have Sophos detection in place?
We aim to add detection to critical issues based on the type and nature of the vulnerabilities as soon as possible. In many cases, existing detections will catch exploit attempts without the need for updates.
What if the vulnerability/0-day you’re looking for is not listed here?
If we haven’t released an update for a specific exploit, the most likely reason is that we did not receive the data that shows how the exploit works in the real world. As many of this month’s exploits were crafted in a lab and have not been seen in the wild, nobody has enough information (yet) about how criminals would, hypothetically, exploit any given vulnerability. If or when we receive information about real attacks, we will create new detections, as needed.