It's 2018, and a webpage can still pwn your Windows PC – and apps can escape Hyper-V
Scores of bugs, from Edge and Office to kernel code to Adobe Flash, need fixing ASAP
Patch Tuesday Microsoft and Adobe have patched a bunch of security bugs in their products that can be exploited by hackers to commandeer vulnerable computers, siphon people's personal information, and so on.
Redmond emitted 68 patches alone, 21 rated critical and at least two being actively exploited in the wild. There are browser and kernel patches you should look into first, check out an Office 365 email filter bypass that isn't addressed, then Hyper-V if you're using that, and then the rest.
Overall, there are fixes for Internet Explorer, Edge, Windows, Office and Office Services and Web Apps, ChakraCore, Adobe Flash Player, .NET Framework, Exchange Server, Windows Host Compute Service Shim, and more. Let's hop right to it.
Applications running within guest virtual machines on Microsoft's Hyper-V hypervisor can escape to the host machine and execute malicious code on it. That means software running in, and users logged into, guest VMs can take over other virtual machines as well as the underlying server. The bugs are CVE-2018-0959 and CVE-2018-0961, the latter involves vSMB. This is basically a nightmare scenario for hypervisor developers and administrators.
Edge, Internet Explorer, and Windows VBScript Engine
The VBScript Engine can be exploited, via memory corruption bug CVE-2018-8174, by a malicious webpage to execute arbitrary nefarious code on a system, paving the way to the installation of malware.
Hackers – including nation-state agents – are already abusing this programming cockup right now to compromise computers in the wild and spy on targets. The flaw was discovered and reported by Anton Ivanov and Vladislav Stolyarov of Kaspersky Lab, as well as Ding Maoyin, Jinquan, Song Shenlei, and Yang Kang of Qihoo 360 Core Security.
"In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website," Microsoft noted.
"An attacker could also embed an ActiveX control marked 'safe for initialization' in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability."
The Chakra Scripting Engine in Edge can also be exploited, via CVE-2018-0943, by evil webpages to run code and malware on a computer visiting said page. See also the following in Edge's Chakra and Internet Explorer's scripting engine: CVE-2018-0945, CVE-2018-0946, CVE-2018-0951, CVE-2018-0953, CVE-2018-0954, CVE-2018-0955, CVE-2018-1022, CVE-2018-8114, CVE-2018-8122, CVE-2018-8128, CVE-2018-8130, CVE-2018-8133, CVE-2018-8137, CVE-2018-8139, CVE-2018-8177, and CVE-2018-8178. Phew!
This particular flaw is also being actively exploited by crooks: malware running on vulnerable systems can use the bug CVE-2018-8120 in the Windows kernel (specifically, the Win32k component) to gain administrator privileges to completely hijack the device. This affects just Windows 7 and Server 2008.
It was found and reported by Anton Cherepanov of ESET.
However, Windows 10 is affected by CVE-2018-8170, a privilege escalation in Windows' image processing system – if an application throws a dodgy snap at the kernel, it can gain admin access over the machine.
There are also other kernel-level privilege escalation bugs in various releases of Windows, for instance CVE-2018-8897, CVE-2018-8134 and CVE-2018-8124, that can be used by applications and logged-in users to gain admin rights.
Exchange and Office 365
Microsoft Exchange has a vulnerability, CVE-2018-8153, that allows Outlook Web Objects to be exploited to direct people to dodgy websites that masquerade as legit sites to steal their login passwords and other information. To pull this off, you'd have to email a victim a dodgy link, or message them in chat, and trick them into following it.
"An attacker who successfully exploited the vulnerability could perform script or content injection attacks, and attempt to trick the user into disclosing sensitive information," Microsoft explained. "An attacker could also redirect the user to a malicious website that could spoof content or be used as a pivot to chain an attack with other vulnerabilities in web services.
"To exploit the vulnerability, an attacker could send a specially crafted email containing a malicious link to a user. An attacker could also use a chat client to social engineer a user into clicking the malicious link. However, in both examples the user must click the malicious link."
The above fix does not address a security hole reported this month by Avanan, in which you can bypass Office 365's message filters by splitting a URL to a dodgy site in an email. You can use a <base> tag in an HTML message to make a clean link actually point to a malicious site. There is, right now, no known mitigation against emails exploiting this weakness in Office 365.
Here's a video demonstrating how to sidestep Microsoft's defenses using <base> tags:
If you're relying on Microsoft's cloud suite to block messages with links to bad websites, bear in mind that miscreants are using this filter bypass in the wild to send people URLs to phishing websites. Redmond is now aware of the problem, and recommends not clicking on links from strangers.
"We encourage customers to practice safe computing habits by avoiding opening links in emails from senders they don’t recognize," a spokesperson said.
Office and Excel
Opening odious Office documents, including Excel spreadsheets, on a vulnerable machine can trigger the execution of malware and spyware. For example, CVE-2018-8162 in Excel, and CVE-2018-8158 and CVE-2018-8161 in Office, can be leveraged by booby-trapped files to run spyware or ransomware on a system once viewed.
Similarly, Microsoft COM for Windows can be exploited, via CVE-2018-0824, to run arbitrary code smuggled in an email or webpage.
If you can trick an administrator to import a booby-trapped container image, you can exploit CVE-2018-8115 in the Windows Host Compute Service Shim to trigger the execution of malicious code on the host server.
Domain accounts and others
Someone on your network with a domain account can exploit CVE-2018-8136 to gain administrator privileges. There are also other escalation of privileges bugs, such as in Sharepoint (CVE-2018-8168), the Windows Common Log File System Driver (CVE-2018-8167), and DirectX (CVE-2018-8165). These can be used to go from normal user access to full administrative control on a vulnerable installation.
Azure's IoT Device Provisioning AMQP Transport library – a software toolkit that runs on gadgets – does not properly validate security certificates sent from its cloud-hosted backend. That shortcoming, CVE-2018-8119, means miscreants can, in a man-in-the-middle attack, masquerade as Azure servers on a network, and hijack and eavesdrop on supposedly secure connections from IoT devices during provisioning. Good luck patching gizmos in the field using this broken library.
Adobe's software sieve Flash Player, as usual, needs updating on Windows, Macs and Linux systems, lest a malicious Flash file hijack your system. Adobe Connect also needs patching on all platforms to avoid it leaking sensitive information, and Creative Cloud Desktop Application for Windows and macOS needs fixing to thwart attempts to escalate privileges via the software suite.
As always, please apply the patches as soon as it is possible, after testing and what not, to avoid losing control of your systems and data to miscreants exploiting these programming blunders. These remote-code execution and privilege escalation bugs can be abused in a chain to fully compromise a system simply by opening a webpage through social media or an emailed document, and so on.
Bugs within bugs
Bear in mind there are caveats with Microsoft's May updates. On Windows 10 version 1607, applying the fixes may affect the deployment of earlier feature upgrades. On Windows 10 version 1709, some non-English installations may display the wrong messages when viewing scheduled jobs. And systems running Windows 7 Service Pack 1, or Windows Server 2008 R2 Service Pack 1, may crash with a blue-screen-of-death if their processors do not support SSE2 – which was introduced in 2001, so said machines would have to be really, really old to be affected. ®