By Andrew O’Donnell and Andrew Brandt
This week, Microsoft and Adobe released their monthly security updates for August. This month’s fixes address a host of vulnerabilities that affect Windows and a panoply of software that runs on Windows, including the IE and Edge browsers, Microsoft Office, Visual Studio, Microsoft’s ChakraCore JavaScript engine, and Adobe Reader, Acrobat, and Flash.
The company also released new patches that update a mitigation fix released earlier this year to prevent newly discovered types of so-called speculative execution side channel attacks (popularly known as Spectre and Meltdown) that could affect computers running AMD, ARM, and Intel processors.
While there’s been some scuttlebutt about the CPU performance hit that Spectre and Meltdown patches could impose on users, Microsoft wrote that “for most consumer devices, we have not observed a noticeable performance impact after applying the updates.” This month, the patches for this vulnerability were released for a wide range of Windows versions, from the newest 64-bit Windows 10 to the 32-bit versions of Windows Server 2008 and Windows 7, as part of their normal update bundle.
All told, this is a good month for killing bugs. The patches fix:
- 64 vulnerabilities affecting a wide range of Microsoft products, with 21 of those classified as Critical.
- 11 vulnerabilities in various Adobe applications, with 2 classified as Critical.
A typical Windows 10 machine will receive updates designed to address 17 vulnerabilities that could affect the platform, including two rated by Microsoft as Critical. The critical updates address issues involving the use of maliciously crafted Windows font files (which could be used either in a webpage or embedded in an Office document) and the use of maliciously crafted Windows shortcuts (or .LNK files) to perform remote code execution. Of course, the specific updates your computer will receive will depend on what you’re running.
While both of these types of attacks could be potentially devastating, Microsoft indicated that, to the best of their knowledge, these particular attacks have not been seen in the wild yet, because the company became aware of the vulnerabilities when security researchers responsibly disclosed the bugs to them through a bug bounty program.
What Adobe fixed in their updates
Based on our analysis of the information provided by Adobe about the fixes they also released on Tuesday, Sophos believes that the updates affecting Adobe Reader, Acrobat, and Flash (specifically, version 30.0.0.134 or earlier) require special attention and action if you have any of those programs on your computer, as many people do. Adobe also released updates for its Creative Cloud and Experience Manager packages.
Flash, being a cross-platform utility, has been updated for the IE, Edge, and Chrome browsers, as well as for MacOSX and Linux. The update addresses five vulnerabilities that, if executed successfully, “could lead to arbitrary code execution in the context of the current user,” Adobe wrote. All of the vulnerabilities were responsibly disclosed to Adobe and have not been seen in the wild yet, so they only rate a threat level of “important.”
The fix for the three most recent versions of Acrobat DC and Reader DC addresses two vulnerabilities both rated as critical by Adobe. Either one of the bugs could permit a bad actor to arbitrarily launch code on the victim’s computer.
The following Acrobat products are affected:
Adobe Acrobat (APSB18-29):
- Acrobat DC with 2018.011.20058 and earlier versions
- Acrobat Reader DC with 2018.011.20058 and earlier versions
- Acrobat 2017 with 2017.011.30099 and earlier versions
- Acrobat Reader 2017 with 2017.011.30099 and earlier versions
- Acrobat DC 2015.006.30448 and earlier versions
- Acrobat Reader DC 2015.006.30448 and earlier versions
How is Sophos responding to these threats?
Sophos has released the following new detections to address some of the specific vulnerabilities mentioned above; Others may already be covered by existing detections. Additional detections may (and probably will) be released in the future.
Note: CVE-2018-8414 is also known as the SettingContent-ms vulnerability, that we previously blogged about:
CVE | SAV | IPS | Intercept-X |
CVE-2018-12799 | Exp/201812799-A | sid:46651 | N/V |
CVE-2018-12824 | Exp/201812824-A | sid:2200850 | N/V |
CVE-2018-12826 | SID | sid:2200851 | N/V |
CVE-2018-8414 | Exp/20188414-A Mal/PdfMsc-A CXmail/PDFStn-A |
sid:2200854 | Application Lockdown |
N/V = Not Validated. The proof-of-concept (PoC) code provided with MAPP advisories does not include active exploits, and as such is not applicable to Intercept X testing. The IX ability to block the exploit depends on the actual exploit weaponization approach, which we won’t see until someone spots it in the wild. The SAV and IPS detections developed for the PoCs do not guarantee interception of in-the-wild attacks.
SID = silent identity to gather telemetry data (this may not be shown under SAV column in the table if we have full detection.)
How long does it take to have Sophos detection in place?
We aim to add detection to critical issues based on the type and nature of the vulnerabilities as soon as possible. In many cases, existing detections will catch exploit attempts without the need for updates.
What if the vulnerability/0-day you’re looking for is not listed here?
If we haven’t released an update for a specific exploit, the most likely reason is that we did not receive the data that shows how the exploit works in the real world. As many of this month’s exploits were crafted in a lab and have not been seen in the wild, nobody has enough information (yet) about how criminals would, hypothetically, exploit any given vulnerability. If or when we receive information about real attacks, we will create new detections, as needed.