A bevy of newly revealed vulnerabilities in code from Microsoft and Adobe will require immediate fixing.
Microsoft’s May security bulletin includes fixes for 67 unique flaws in its software, analysts 21 are rated critical, which often means they usually are remotely exploited by attackers to execute arbitrary code around the vulnerable system. Of a rest of the flaws, 42 are rated as important while four are of low severity.
Vulnerable software includes Microsoft’s Edge and Internet Explorer browsers, and in some cases its Office, Exchange and Outlook software.
The best critical flaws is mostly a “use after free” vulnerability contained in the Windows VBScript engine that are used to force Internet Explorer to load along with execute code.
The flaw, designated CVE-2018-8174. was first identified last month by researchers at Moscow-based security firm Kaspersky Lab and reported to Microsoft. It exists in Windows 7, Windows RT, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012 and Windows Server 2016.
“This exploit was used in the wild and was used by an APT actor,” the Kaspersky Lab researchers say inside of a blog post.
As defined by Estonia’s foreign international service, APT – short for advanced persistent threat – refers to “carefully targeted, long-term cyber operations around the course of which attackers combine multiple quick obtain the needed particulars about the target.”
The Kaspersky Lab researchers say they found the flaw after the company’s sandbox system automatically analyzed an exploit that someone uploaded to malware-scanning service VirusTotal on April 18. “This exploit was detected by several AV vendors including Kaspersky, specifically by our generic heuristic logic for a couple of older Microsoft Word exploits,” the researchers say.
The zero-day attack targeted victims via malicious Microsoft Word documents.
Kaspersky Lab says such attacks may well proceeded accordingly:
The victim receives a malicious Microsoft Word document in RTF format that contains an OLE – “object linking & embedding” – object that uses a URL Moniker that may force Internet Explorer to remotely load a specified web content.
If the victim opens the malicious document, a second-stage exploit gets downloaded by means of an HTML page that contains VBScript code.
The VBScript code triggers a use after free – some sort of memory corruption – vulnerability to own shellcode.
“Despite a Word document being first attack vector, the vulnerability is certainly in VBScript, not in Microsoft Word,” Kaspersky Lab researchers say.
Warning: Patch Flaw Immediately
Security experts recommend all Windows users – individuals and businesses alike – patch this flaw as quickly as possible.
“This is the first time we’ve seen a URL Moniker utilized to load an IE exploit, and believe this technique is definitely used heavily by malware authors later in life,” Kaspersky Lab researchers say. “This technique allows one to load and render a post using the IE engine, even tough default browser on the victim’s machine is set to something different.”
Microsoft, on a Tuesday security advisory, warned the fact that flaw could also exploited via a malicious or compromised website.
“In a web-based attack scenario, an attacker could host a specially crafted website which may be designed to exploit the vulnerability through Internet Explorer and convince a user to get the website,” Microsoft warns.
The attack exploit could often be targeted via malicious advertisements, or malvertising (see Internet advertising: Hackers’ Little Helper).
“The attacker could also make the most compromised websites and websites that accept or host user-provided content or advertisements,” Microsoft says. “These websites could contain specially crafted content that can exploit the vulnerability.”
Microsoft says it had become alerted to the flaw both by Kaspersky Lab plus researchers from Chinese security firm Qihoo 360 Core Security.
Attackers Exploit Win32k Flaw
Also on Tuesday, Microsoft patched a privilege elevation vulnerability in Win32k, a critical system file already a part of Windows. The bug, designated as CVE-2018-8120, is being exploited from your wild. It allows attackers to manage arbitrary code in kernel mode, meaning may fully compromise any vulnerable system, install malware and steal all data.
“To exploit this vulnerability, an attacker would first require log now on to the system,” as stated by Microsoft’s security advisory. “An attacker could then run a specially crafted application designed to exploit the vulnerability and take power over an affected system.”
The flaw was discovered and reported to it by Anton Cherepanov, a senior malware researcher at ESET, Microsoft says.
The fix issued Tuesday updates vulnerable operating systems and versions. They include both 32-bit and 64-bit versions of Windows 7 and Windows Server 2008. “The update addresses this vulnerability by correcting how Win32k handles objects in memory,” Microsoft says.
More Patches: Hyper-V, Kernel, Azure IoT Device Library
Also on Tuesday, Microsoft issued an update to its Windows Server virtualization platform, Hyper-V. It fixes CVE-2018-0961, which sometimes be used to abuse vSMB packets with the intention that an attacker who already had access into an instance about the virtual machine could “run a specially crafted application that is going to cause the Hyper-V host os in this handset to execute arbitrary code,” it says.
In addition to that, it fixed CVE-2018-0959, which an attacker could exploit via a guest computer itself on Hyper-V, again to execute arbitrary code.
Two other fixes of note include Microsoft’s patch for one privilege-escalation vulnerability in the Windows kernel that will be abused by just a local attacker. The flaw in Windows 10 and Windows Server, designated CVE-2018-8170, was publicly reported but has not yet been seen in in-the-wild attacks.
Also, Microsoft has fixed a spoofing vulnerability in its Azure IoT Device Provisioning AMQP Transport library. “An attacker who successfully exploited this vulnerability could impersonate a server used through provisioning process,” per Microsoft’s security alert. “To exploit this vulnerability, an attacker would really need to perform a man-in-the-middle (MitM) attack in the network that provisioning was taking place.”
Critical Flash Fix
Microsoft’s Tuesday security alert also references fixes from Adobe. On Tuesday, Adobe released updates because of Flash Player, running on Windows, Macintosh, Linux and Chrome OS, to fix a “type confusion” flaw that attackers could exploit to execute arbitrary code over system.
Adobe credits discovery for this “critical” flaw, designated CVE-2018-4944, to Jihui Lu of security research group Tencent KeenLab (see 2016 Resolution: Ditch Flash).
Where to start with? “Microsoft recommends first fixing CVE-2018-8174, then to concentrate on all browser updates, thereafter turn your attention to Hyper-V,” says Gill Langston, director of product management at Qualys, for a blog post.
First, however, some organizations may require to update their version of Windows to ensure that they’re still wedding users and attendents latest cumulative and security updates.
Last month, Microsoft warned that that they would not be supporting Windows 10 version 1607, aka the “Anniversary Update,” was first introduced in August 2016, or older versions of your OS. Business users can continuously receive security-only updates for the regular few months, Microsoft says, or organizations is advantageous for pricey extended-support contracts.