May 2018 Patch Tuesday: Microsoft fixes 2 zero-day flaws reportedly exploited by APT group

Microsoft has released the May 2018 Patch Tuesday that addresses more than 60 vulnerabilities, including two Windows zero-day flaws that can be exploited for remote code execution and privilege escalation.

Microsoft May 2018 Patch Tuesday includes security patches for 67 vulnerabilities, including two zero-days that have already been exploited in the wild by threat actors.

The security updates address 21 vulnerabilities that are rated as critical, 42 rated important, and 4 rated as low severity. The flaws affect many products, including Microsoft Windows, Internet Explorer, Microsoft Edge, Outlook, Microsoft Office, Microsoft Office Exchange Server,  .NET Framework, Microsoft Hyper-V, ChakraCore, Azure IoT SDK, and others.

The most severe issue is CVE-2018-8174 zero-day, dubbed Double Kill, a critical vulnerability that could be exploited by remote attackers to execute arbitrary code on all supported versions of Windows.

The vulnerability was first reported by experts at Qihoo 360, according to the experts is was exploited by a known advanced persistent threat (APT) group in targeted attacks that targeted Internet Explorer and leveraged specially crafted Office weaponized documents.

The Double Kill vulnerability is a use-after-free issue that resides in the way the VBScript Engine handles objects in computer memory. An attacker can exploit the flaw to execute code that runs with the same system privileges as of the logged-in user.

“A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.” reads the advisory published by Microsoft. ” If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Security experts from Kaspersky confirmed the CVE-2018-8174 flaw was exploited in targeted attacks by an APT group, the hackers delivered weaponized documents to allow the download of a second-stage payload. Hackers tricked victims into visiting a malicious HTML page that contained the code to trigger the UAF and a shellcode that downloads the malicious payload.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine,” reads Microsoft’s explains in its advisory.  

“The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”

The Microsoft May 2018 Patch Tuesday also addresses another zero-day vulnerability tracked as CVE-2018-8120, a privilege escalation that is related the way the Win32k component handles objects in memory. The flaw could be exploited by an authenticated attacker to execute arbitrary code in kernel mode.

“An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” reads the advisory.

“To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.”

The CVE-2018-8120 flaw only affects Windows 7 and Windows Server 2008.

The Microsoft May 2018 Patch Tuesday also fixed two Windows vulnerabilities rated as “important” whose details have been made public. The flaws are respectively a privilege escalation issue (CVE-2018-8170) and an information disclosure (CVE-2018-8141).

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Microsoft May 2018 Patch Tuesday, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]