Executive Summary
Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 50 flaws, with 11 of them rated "critical," and 39 rated "important." These vulnerabilities impact Microsoft Edge, Internet Explorer, Chakra Scripting Engine, Windows DNSAPI, Microsoft Office, Windows Kernel and more.
In addition to the 50 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180014, the June 2018 Adobe Flash Security Update, which addresses the vulnerabilities described in the security bulletin.
Critical vulnerabilities
This month, Microsoft is addressing 11 vulnerabilities that are rated "critical." Talos believes these three vulnerabilities in particular are notable and require prompt attention.
CVE-2018-8225 - Windows DNSAPI Remote Code Execution Vulnerability
A remote code vulnerability is present within Windows DNS. This vulnerability manifests due to DNSAPI.dll improperly handling DNS responses. This vulnerability could allow a remote attacker to execute arbitrary code within the context of the LocalSystem account on affected systems. An attacker could leverage a malicious DNS server and send specially crafted DNS responses to trigger this vulnerability.
CVE-2018-8229 - Chakra Scripting Engine Memory Corruption Vulnerability
A remote code execution vulnerability is present within Microsoft Scripting Engine. This vulnerability manifests due to the Chakra engine improperly handling objects in memory. This vulnerability could be leveraged by attackers to execute arbitrary code on affected systems within the context of the current user. This vulnerability could be leveraged in web-based attacks where a user is convinced to visit a web page that has been specially crafted to exploit this vulnerability. This could be in the form of an attacker controlled webpage, or simply a page that hosts external content, such as advertisements.
CVE-2018-8267 - Scripting Engine Memory Corruption Vulnerability
A remote code execution vulnerability is present within Microsoft Scripting Engine. This vulnerability manifests due to scripting engine not properly handling objects in memory in Internet Explorer. This vulnerability could be leveraged by attackers to execute arbitrary code on affected systems within the context of the current user. This vulnerability was publicly disclosed prior to a patch being made available.
Other vulnerabilities deemed "critical" are listed below:
- CVE-2018-8110 - Microsoft Edge Memory Corruption Vulnerability
- CVE-2018-8111 - Microsoft Edge Memory Corruption Vulnerability
- CVE-2018-8213 - Windows Remote Code Execution Vulnerability
- CVE-2018-8231 - HTTP Protocol Stack Remote Code Execution Vulnerability
- CVE-2018-8236 - Microsoft Edge Memory Corruption Vulnerability
- CVE-2018-8243 - Scripting Engine Memory Corruption Vulnerability
- CVE-2018-8249 - Internet Explorer Memory Corruption Vulnerability
- CVE-2018-8251 - Media Foundation Memory Corruption Vulnerability
- CVE-2018-8267 - Scripting Engine Memory Corruption Vulnerability
Important vulnerabilities
This month, Microsoft is addressing 39 vulnerabilities that are rated "important." One of these vulnerabilities is TALOS-2018-0545, which was assigned CVE-2018-8210. This vulnerability is a Windows remote code execution flaw that was discovered by Marcin Noga of Cisco Talos. Additional information related to this vulnerability can be found in the advisory report here.
Additionally, Talos believes the following vulnerability is notable and requires prompt attention.
CVE-2018-8227 - Chakra Scripting Engine Memory Corruption Vulnerability
A remote code execution vulnerability is present within the Microsoft Scripting Engine. This vulnerability manifests due to the Chakra engine improperly handling objects in memory. This vulnerability could be leveraged by attackers to execute arbitrary code on affected systems within the context of the current user. This vulnerability could be leveraged in web-based attacks where a user is convinced to visit a web page that has been specially crafted to exploit this vulnerability. This could be in the form of an attacker controlled webpage, or simply a page that hosts external content, such as advertisements.
Other vulnerabilities deemed "important" are listed below:
- CVE-2018-0871 - Microsoft Edge Information Disclosure Vulnerability
- CVE-2018-0978 - Internet Explorer Memory Corruption Vulnerability
- CVE-2018-0982 - Windows Elevation of Privilege Vulnerability
- CVE-2018-1036 - NTFS Elevation of Privilege Vulnerability
- CVE-2018-1040 - Windows Code Integrity Module Denial of Service Vulnerability
- CVE-2018-8113 - Internet Explorer Security Feature Bypass Vulnerability
- CVE-2018-8121 - Windows Kernel Information Disclosure Vulnerability
- CVE-2018-8140 - Cortana Elevation of Privilege Vulnerability
- CVE-2018-8169 - HIDParser Elevation of Privilege Vulnerability
- CVE-2018-8175 - WEBDAV Denial of Service Vulnerability
- CVE-2018-8201 - Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
- CVE-2018-8205 - Windows Denial of Service Vulnerability
- CVE-2018-8207 - Windows Kernel Information Disclosure Vulnerability
- CVE-2018-8208 - Windows Desktop Bridge Elevation of Privilege Vulnerability
- CVE-2018-8209 - Windows Wireless Network Profile Information Disclosure Vulnerability
- CVE-2018-8210 - Windows Remote Code Execution Vulnerability
- CVE-2018-8211 - Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
- CVE-2018-8212 - Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
- CVE-2018-8214 - Windows Desktop Bridge Elevation of Privilege Vulnerability
- CVE-2018-8215 - Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
- CVE-2018-8216 - Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
- CVE-2018-8217 - Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
- CVE-2018-8218 - Windows Hyper-V Denial of Service Vulnerability
- CVE-2018-8219 - Hypervisor Code Integrity Elevation of Privilege Vulnerability
- CVE-2018-8221 - Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
- CVE-2018-8224 - Windows Kernel Elevation of Privilege Vulnerability
- CVE-2018-8226 - HTTP.sys Denial of Service Vulnerability
- CVE-2018-8233 - Win32k Elevation of Privilege Vulnerability
- CVE-2018-8234 - Microsoft Edge Information Disclosure Vulnerability
- CVE-2018-8235 - Microsoft Edge Security Feature Bypass Vulnerability
- CVE-2018-8239 - Windows GDI Information Disclosure Vulnerability
- CVE-2018-8244 - Microsoft Outlook Elevation of Privilege Vulnerability
- CVE-2018-8245 - Microsoft Office Elevation of Privilege Vulnerability
- CVE-2018-8246 - Microsoft Excel Information Disclosure Vulnerability
- CVE-2018-8247 - Microsoft Office Elevation of Privilege Vulnerability
- CVE-2018-8248 - Microsoft Excel Remote Code Execution Vulnerability
- CVE-2018-8252 - Microsoft SharePoint Elevation of Privilege Vulnerability
- CVE-2018-8254 - Microsoft SharePoint Elevation of Privilege Vulnerability
Coverage
In response to these vulnerability disclosures, Talos is releasing the following Snort rules that detects attempts to exploit them. Please note that additional rules may be released in the future, and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.
Snort Rules:
- 45628, 46927 - 46930, 46933 - 46935, 46938 - 46945, 46951 - 46958, 46961 - 46962
