Microsoft’s December updates fix several dozen serious problems

SophosLabs UncutMicrosoftPatchPatch TuesdayUpdateWindowsWindows Update

Don’t give your computers a year-end holiday from regular updates this month

SophosLabs Uncut

By SophosLabs Offensive Security Research

After last week’s out of bound patch for Adobe Flash Player, which fixed two vulnerabilities, Microsoft released their monthly security updates for December on Tuesday. This month’s fixes address 38 vulnerabilities that affect Windows and a range of software that runs on Windows, including the IE and Edge browsers, the .NET framework, Microsoft Office applications such as Excel, Word, PowerPoint and Outlook and a few Windows Server services. In addition, there were patches released for two critical vulnerabilities in Adobe Flash, and for 85 vulnerabilities in Adobe Reader.

Among the 38 vulnerabilities in Microsoft products, 9 are categorized by Microsoft as critical and the rest important this month. About half of the critical vulnerabilities allow an attacker to execute remote code on the targeted system, while a handful can be used to elevate privileges on the infected machine. Through a successful social engineering attack (either with a malicious website or Office documents), an external attacker could fully compromise a targeted user’s machine.

All nine critical vulnerabilities are related to remote code execution; six are for Edge, one for Internet Explorer, one remote code injection in .NET, and one affects the Windows DNS Server. One of the Flash Player vulnerabilities (CVE-2018-15982) and one elevation of privilege vulnerability in the Windows NT kernel (CVE-2018-8611) have been observed in the wild, which makes them a must-patch.

Let’s have a closer look at some of the interesting vulnerabilities.

CVE-2018-15982 Adobe Flash Player Use After Free Remote Code Execution Vulnerability
In the TVSDK library, it is possible to get a dangling pointer that references an old and unused memory region. A subsequent allocation could overlap on that old memory region which could lead to a use after free vulnerability. The resulting type mismatch between the dangling pointer and the new allocation could lead a remote attacker to gain remote code execution. This vulnerability has been exploited in the wild.

CVE-2018-8611 Windows Kernel Elevation of Privilege Vulnerability
The NT kernel on 64-bit Windows 7 fails to handle some specific objects in memory that could be overwritten with arbitrary data. An attacker with code execution on the machine whether is local or remote through another exploit, could run a specially crafted application that would trigger the vulnerability to elevate the privilege to System. This vulnerability has been exploited in the wild.

CVE-2018-8583, CVE-2018-8617, CVE-2018-8618, CVE-2018-8624, CVE-2018-8626, CVE-2018-8629 Chakra Scripting Engine Memory Corruption Vulnerability
ChakraCore, the JavaScript engine of the Edge web browser, has multiple type confusion and out of bound write vulnerabilities that could lead a remote attacker, through a malicious website, to gain control of the targeted Windows 10 machine. The vulnerabilities, which have not been spotted exploited in the wild (yet) are all addressed in a single patch that will vary depending on whether your computer is running build 1703, 1709, 1803, or 1809 of Windows 10, which brings your version of ChakraCore up to 1.11.4.

CVE-2018-8634 Microsoft Text-To-Speech Remote Code Execution Vulnerability
The Microsoft test-to-speech feature, that can be access with a JavaScript script on the Edge web browser, suffers from a buffer overflow vulnerability. A remote attacker, through a website, could trigger the vulnerability and gain code execution on the victim’s computer.

CVE-2018-8540 .NET Framework Remote Code Injection Vulnerability
While this vulnerability sounds bad, it hasn’t been seen in the wild. Attackers who leverage it could run programs, view or change data, or create new user accounts on the affected computer. Moreover, the vulnerability requires an attacker to pass specially crafted data to a vulnerable .NET application, so even though the patch level is rated critical, Microsoft considers the actual possibility of exploitation as “less likely” — at least, for the moment. Unless you enjoy living life as a guinea pig, you’re better off patching now.

CVE-2018-8631 Internet Explorer Memory Corruption Vulnerability
Remember Internet Explorer? Researchers discovered an out of bounds vulnerability in the Internet Explorer 11 JScript engine that a remote attacker could leverage to execute arbitrary code. JScript is the old JavaScript engine of Internet Explorer that was replaced by ChakraCore. However, a webpage could still make a request that would force the use of JScript, instead of ChakraCore, to interpret its JavaScript code.

CVE-2018-8626 Windows DNS Server Heap Overflow Vulnerability
The Domain Name System (DNS) server on Windows 10, or in Windows Server 2012, 2016, 2019, or Server Core does not handle remote requests properly. All it takes for a remote attacker to run arbitrary code in the context of the highly privileged Local System account, and take full control of the machine, is to send it a properly crafted DNS request. Ouch.

How is Sophos responding to these threats?

Here is a list of protection released by SophosLabs in response to this advisory to complement any existing protection and generic exploit mitigation capabilities in our products.

CVE SAV IPS Intercept-X
CVE-2018-15982 Exp/201815982-ATroj/SWFExp-OP

Troj/SWFExp-OQ

Troj/SWFExp-OR

Troj/Crisis-B (payload)

sid:2200964 N/V
CVE-2018-8631 SID:9000791 N/V
CVE-2018-8587 sid:48407
CVE-2018-8617 sid:2200885
CVE-2018-8624 sid:2200967
CVE-2018-8583 sid:2200965
CVE-2018-8618 sid:2200966
CVE-2018-8625 sid:9000788
CVE-2018-8628 sid:9000789
CVE-2018-8629 sid:9000790
CVE-2018-8631 sid:9000791
CVE-2018-8634 sid:900792
CVE-2018-8629 sid:9000793

N/V = Not Validated. The PoC code provided with MAPP advisories does not include active exploits and as such is not applicable to Intercept X testing. The Intercept-X ability to block the exploit depends on actual exploit weaponization approach which we won’t see until it’s spotted in the wild. The SAV and IPS detections developed for the PoCs do not guarantee interception of in-the-wild attacks.

How long does it take to have Sophos detection in place?

We aim to add detection to critical issues based on the type and nature of the vulnerabilities as soon as possible. In many cases, existing detections will catch exploit attempts without the need for updates.

What if the vulnerability/0-day you’re looking for is not listed here?

If we haven’t released an update for a specific exploit, the most likely reason is that we did not receive the data that shows how the exploit works in the real world. As many of this month’s exploits were crafted in a lab and have not been seen in the wild, nobody has enough information (yet) about how criminals would, hypothetically, exploit any given vulnerability. If or when we receive information about real attacks, we will create new detections, as needed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.