Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Microsoft Patches Zero-Day Flaws in Windows, Internet Explorer

Microsoft’s Patch Tuesday updates for August 2018 address 60 vulnerabilities, including two zero-day flaws affecting Windows and Internet Explorer.

Microsoft’s Patch Tuesday updates for August 2018 address 60 vulnerabilities, including two zero-day flaws affecting Windows and Internet Explorer.

One of the actively exploited vulnerabilities is CVE-2018-8414, which Microsoft learned of from Matt Nelson of SpecterOps. Nelson disclosed the details of the bug in June after Microsoft told him that “the severity of the issue is below the bar for servicing and that the case will be closed.”

Proofpoint then revealed in July that a financially-motivated threat actor tracked by the company as TA505 had been exploiting the flaw to deliver the FlawedAmmyy RAT.

Microsoft described the issue as a Windows Shell remote code execution vulnerability that can be exploited by getting the targeted user to open a specially crafted file. The company says the flaw impacts Windows 10 and Windows Server (versions 1709 and 1803).

According to Trend Micro’s Zero Day Initiative (ZDI), the same vulnerability also impacts Adobe Acrobat Reader. ZDI researcher Abdul-Aziz Hariri reported the weakness to Adobe, which also released a patch for it on Tuesday.

“The Acrobat patch blocks the embedding of certain files types – a tactic Microsoft has already done with Office 365 docs,” ZDI explained in a blog post published after the patches were released. “This [Microsoft] patch prevents the bypassing of traditional file execution restrictions within Windows. It’s fascinating to see exploit authors combine different products to evade detection and proliferate their malware.”

The second zero-day vulnerability patched on Tuesday by Microsoft is CVE-2018-8373, a remote code execution flaw that exists due to how the scripting engine in Internet Explorer handles objects in memory.

The security hole was reported to Microsoft by Elliot Cao of Trend Micro Security Research, but Trend Micro has yet to make any information public on the attacks it has seen.

On the other hand, the security firm did reveal that CVE-2018-8373 is very similar to CVE-2018-8174, which Microsoft patched in May. CVE-2018-8174 had been exploited by an unnamed advanced persistent threat (APT) actor when it was fixed.

“[The vulnerability] used a new UAF vulnerability in vbscript.dll. This UAF occurs when the VBScript engine uses AssignVar to assign a value to the element of an array accessed by AccessArray,” ZDI explained. “Interestingly, the previous CVE was also being actively exploited when patched. In other words, if there are similar bugs to this one, they will likely be found and exploited, too.”

A total of 20 vulnerabilities patched this month by Microsoft have been rated “critical” and, unsurprisingly, many of them impact Edge and Internet Explorer. Remote code execution flaws discovered in SQL Server, Exchange, and Windows have also been assigned a “critical” severity rating.

Some of the more interesting vulnerabilities patched by Microsoft this month, whose details were disclosed shortly after the tech giant pushed out the security updates, include an Active Directory Federation Services (ADFS) issue discovered by Okta and an Exchange RCE flaw reported by an anonymous researcher through ZDI.

UPDATE. Trend Micro has published technical details and information on the attacks involving CVE-2018-8373

“Attribution is always difficult, but it seems clear whomever is behind these attacks are determined actors. When their first exploit was patched (CVE-2018-8174), they were able to develop the newer CVE-2018-8414 to continue their campaign. While we can’t with 100% certainty say these bugs are from the same people, the similarities seem more than coincidental. It would not shock me to see further exploits from this group,” Dustin Childs, communications manager for the ZDI, told SecurityWeek.

Related: Microsoft Patch Tuesday Updates Fix Over 50 Vulnerabilities

Related: Microsoft Patches Two Windows Zero-Day Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.