Microsoft has deluged administrators with this month’s patch update round, fixing a total of 50 CVEs, 14 of them listed as critical.
Most experts have highlighted CVE-2018-0825 for urgent treatment. It’s an RCE flaw in Structured Query.
“This bug allows an attacker to get code execution through vulnerable versions of Microsoft Outlook. What’s truly frightening with this bug is that the Preview Pane is an attack vector, which means simply viewing an email in the Preview Pane could allow code execution,” explained Dustin Childs of the Zero Day Initiative.
“The end user targeted by such an attack doesn’t need to open or click on anything in the email – just view it in the Preview Pane. If this bug turns into active exploits – and with this attack vector, exploit writers will certainly try – unpatched systems will definitely suffer.”
Also worthy of note is the single publicly disclosed vulnerability in the list: CVE-2018-0771 is a Security Feature Bypass flaw in Edge that could allow an attacker to host a specially crafted website designed to exploit the vulnerability.
“Compromised websites and websites that accept or host user-provided content or advertisements are also susceptible,” explained Ivanti director of product management, Chris Goettl. “The attacker could force the browser to send data that would otherwise be restricted.”
Goettl also flagged a number of elevation of privilege flaws which could be leveraged by hackers who have already infiltrated systems, for example during an APT-style attack.
“CVE-2018-0820 (a vulnerability in the Windows Kernel), CVE-2018-0821 (Windows AppContainer), CVE-2018-0822 (NTFS Global Reparse Point), CVE-2018-0826 (Windows Storage Services), CVE-2018-0844 (Windows Common Log File System Driver), CVE-2018-0846 (Windows Common Log File System Driver), and CVE-2018-0823 (Named Pipe File System) each have an exploit index of 1 for the latest Windows versions,” he explained.
“These updates cover a lot of services and the kernel so the monthly OS updates will affect a broad surface area. This is also a good example of the importance of layered security. If you are running least privilege for users in your environment, vulnerabilities such as these can still enable an attacker to gain full control of a system.”
Elsewhere there was plenty from Adobe to keep admins busy this month: APSB18-02 resolves 41 vulnerabilities, including 17 critical ones.
Most urgent is the out-of-band update released earlier this month to fix a zero-day actively being exploited in the wild.