Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Microsoft Patches Zero-Day Flaws in Windows, Internet Explorer

Microsoft’s Patch Tuesday updates for August 2018 address 60 vulnerabilities, including two zero-day flaws affecting Windows and Internet Explorer.

Microsoft’s Patch Tuesday updates for August 2018 address 60 vulnerabilities, including two zero-day flaws affecting Windows and Internet Explorer.

One of the actively exploited vulnerabilities is CVE-2018-8414, which Microsoft learned of from Matt Nelson of SpecterOps. Nelson disclosed the details of the bug in June after Microsoft told him that “the severity of the issue is below the bar for servicing and that the case will be closed.”

Proofpoint then revealed in July that a financially-motivated threat actor tracked by the company as TA505 had been exploiting the flaw to deliver the FlawedAmmyy RAT.

Microsoft described the issue as a Windows Shell remote code execution vulnerability that can be exploited by getting the targeted user to open a specially crafted file. The company says the flaw impacts Windows 10 and Windows Server (versions 1709 and 1803).

According to Trend Micro’s Zero Day Initiative (ZDI), the same vulnerability also impacts Adobe Acrobat Reader. ZDI researcher Abdul-Aziz Hariri reported the weakness to Adobe, which also released a patch for it on Tuesday.

“The Acrobat patch blocks the embedding of certain files types – a tactic Microsoft has already done with Office 365 docs,” ZDI explained in a blog post published after the patches were released. “This [Microsoft] patch prevents the bypassing of traditional file execution restrictions within Windows. It’s fascinating to see exploit authors combine different products to evade detection and proliferate their malware.”

Advertisement. Scroll to continue reading.

The second zero-day vulnerability patched on Tuesday by Microsoft is CVE-2018-8373, a remote code execution flaw that exists due to how the scripting engine in Internet Explorer handles objects in memory.

The security hole was reported to Microsoft by Elliot Cao of Trend Micro Security Research, but Trend Micro has yet to make any information public on the attacks it has seen.

On the other hand, the security firm did reveal that CVE-2018-8373 is very similar to CVE-2018-8174, which Microsoft patched in May. CVE-2018-8174 had been exploited by an unnamed advanced persistent threat (APT) actor when it was fixed.

“[The vulnerability] used a new UAF vulnerability in vbscript.dll. This UAF occurs when the VBScript engine uses AssignVar to assign a value to the element of an array accessed by AccessArray,” ZDI explained. “Interestingly, the previous CVE was also being actively exploited when patched. In other words, if there are similar bugs to this one, they will likely be found and exploited, too.”

A total of 20 vulnerabilities patched this month by Microsoft have been rated “critical” and, unsurprisingly, many of them impact Edge and Internet Explorer. Remote code execution flaws discovered in SQL Server, Exchange, and Windows have also been assigned a “critical” severity rating.

Some of the more interesting vulnerabilities patched by Microsoft this month, whose details were disclosed shortly after the tech giant pushed out the security updates, include an Active Directory Federation Services (ADFS) issue discovered by Okta and an Exchange RCE flaw reported by an anonymous researcher through ZDI.

UPDATE. Trend Micro has published technical details and information on the attacks involving CVE-2018-8373

“Attribution is always difficult, but it seems clear whomever is behind these attacks are determined actors. When their first exploit was patched (CVE-2018-8174), they were able to develop the newer CVE-2018-8414 to continue their campaign. While we can’t with 100% certainty say these bugs are from the same people, the similarities seem more than coincidental. It would not shock me to see further exploits from this group,” Dustin Childs, communications manager for the ZDI, told SecurityWeek.

Related: Microsoft Patch Tuesday Updates Fix Over 50 Vulnerabilities

Related: Microsoft Patches Two Windows Zero-Day Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

Mark Carter has been appointed Chief Information Security Officer at Socure.

Spektrum Labs has named Mark Cravotta Chief Operating Officer.

More People On The Move

Expert Insights

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.