Microsoft Corporation's Patch Tuesday security update yesterday fixed 67 bugs, including two that have been actively exploited in zero-day attacks, and another two whose details became public.
The first zero-day vulnerability, CVE-2018-8174, is a remote code execution vulnerability in the Windows VBScript Engine, caused by an improper handling of objects in memory. Attackers can exploit this vulnerability to acquire the same user rights as the current legitimate user, and ultimately gain full control of an affected system.
BleepingComputer, citing researchers from Qihoo 360, reported last month that an APT group has been exploiting this bug in a complex attack that affects the latest versions of Internet Explorer and any other applications that use the IE kernel.
"In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website," Microsoft explains in a seucrity advisory, crediting researchers from Qihoo 360 and Kaspersky Lab for the discovery. "An attacker could also embed an ActiveX control marked 'safe for initialisation'in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability."
The other exploited zero-day bug, CVE-2018-8120, is a Windows elevation of privilege vulnerability that occurs in the Win32k component when it fails to properly handle objects in memory. It can be exploited to run arbitrary code in kernel mode, allowing attackers unfettered control.
"To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system," warns Microsoft in another advisory that credits the bug's discovery to research from ESET.
"It has been reported that this vulnerability is actively being used by malware, although it's not clear how widespread that malware actually is," reports Trend Micro's Zero Day Initiative in a blog post. "The bug itself is just one of seven Kernel EoPs [elevation of privileges] being patched this month. Any of these bugs are targets malware authors could use in future attacks."
The two repaired bugs that previously went public, but do not appear to be actively exploited, are CVE-2018-8170, an EoP flaw in Windows kernel image and CVE-2018-8148, an information disclosure flaw in the Windows kernel.
In total, 20 of the fixed vulnerabilities are marked critical, including multiple memory corruption vulnerabilities in the scripting engine, Chakra scripting engine and Microsoft browsers, and remote code execution issues in the Windows Hyper-V hypervisor product.
Other products and components that had vulnerabilities repaired include Microsoft Edge, Exchange, Office (specifically Excel software in certain cases), Outlook, SharePoint and more.