June 2018, and Windows Server can be pwned with a DNS request
Cortana also a little too eager to carry out commands
Microsoft has released its monthly security update, addressing a total of 51 CVE-listed security vulnerabilities.
The June edition of Patch Tuesday includes 11 fixes for critical vulnerabilities in Windows, including Microsoft's solution for the recently-disclosed Spectre Variant 4 chip design flaw.
Among the most serious bugs addressed this month is CVE-2018-8225, a remote code execution vulnerability present in the Windows DNSAPI. Microsoft says that the flaw would allow an attacker to take over the target system (either Windows or Windows Server) simply by sending a malformed DNS request.
"There are a couple of ways this could happen. The attacker could attempt to man-in-the-middle a legitimate query. The more likely scenario is simply tricking a target DNS server into querying an evil server that sends the corrupted response – something that can be done from the command line," explained Trend Micro ZDI's Dustin Childs.
"It’s also something that could be easily scripted. This means there’s a system-level bug in a listening service on critical infrastructure servers, which also means this is wormable."
Childs also recommends admins prioritize the fix for CVE-2018-8231, a remote code execution bug in Http.sys. As with the DNS flaw, this vulnerability would allow a server to be remotely pwned with a malformed packet, in this case HTTP.
Spectre still haunts
To help address last month's disclosure of a fourth Spectre variant, Microsoft has posted an update in its security fix that will allow for speculative store bypass to be disabled. This won't be the entire fix, however. Intel and AMD will need to post their own microcode updates to fully close the vulnerability.
Other critical patches include CVE-2018-8267, allowing remote code execution from a memory corruption flaw in the Windows scripting engine. That bug, exploitable via either IE or Office files, already has public exploit code circulating.
Three of the patches (CVE-2018-8110, CVE-2018-8111, and CVE-2018-8236) address remote code execution holes in Edge, while two remote code execution bugs in IE (CVE-2018-8249 and CVE-2018-0978) were patched as well.
Have to use SMB 1.0? Windows 10 April 2018 Update says NOREAD MORE
Elsewhere, Microsoft addressed an elevation of privilege flaw in its Cortana personal assistant. CVE-2018-8140 stems from Cortana's failure to properly check command inputs. In practice, this would potentially allow an attacker who had either console or physical access to a device (ie within speaking distance) to trick Cortana into accessing applications or data the attacker would otherwise not be able to see.
Device was a special point of focus this month. Microsoft issued fixes for seven different bugs (CVE-2018-8201, CVE-2018-8211, CVE-2018-8212 CVE-2018-8215, CVE-2018-8216, CVE-2018-8217, CVE-2018-8221) that would allow attackers to bypass the various security protections in the tool.
For Office, this month brings fixes for a remote code execution flaw in Excel (CVE-2018-8248) and elevation of privilege bugs in SharePoint (CVE-2018-8252, CVE-2018-8254), Outlook (CVE-2018-8244), Publisher (CVE-2018-8245), and Web Apps Server (CVE-2018-8247.)
Fortunately, admins won't need to follow up this month's Microsoft update with a corresponding set of fixes from Adobe, who jumped the gun with an emergency patch for critical flaws in Flash. ®