August Patch Tuesday – 63 Vulns, L1TF (Foreshadow), Exchange, SQL, Active Attacks on IE flaw
Updated: Aug 16, 2018
In this month’s Patch Tuesday release there are 63 vulnerabilities patched with 20 Criticals. Out of the criticals, over half are browser-related, with the rest including Windows, SQL, and Exchange. Active exploits have been detected against CVE-2018-8373, one of the scripting engine vulnerabilities.
Browser and Scripting Engine patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. Microsoft has disclosed that CVE-2018-8373 has active exploits against Internet Explorer, making these patches a high priority. The PDF viewer, Windows Font Library, and GDI+ also have patches available that require a user to interact with a malicious site or file.
LNK Remote Code Execution
A vulnerability (CVE-2018-8345) exists in the processing of shortcuts. This patch should be prioritized for both workstations and servers, as the user does not need to click the file to exploit. Simply viewing a malicious LNK file can execute code as the logged-in user.
A vulnerability (CVE-2018-8302) was discovered in Exchange that can result in code executing as System. Exploitation of this vulnerability requires access to mailbox account setup, and can not be exploited by non-privileged users.
Microsoft SQL 2016/2017
Microsoft SQL was also patched for a remote code execution vulnerability (CVE-2018-8273). Exploiting this vulnerability does require the ability to execute SQL queries, but this could be accomplished by chaining an existing SQL injection vulnerability in a web application.
L1 Terminal Fault (Foreshadow)
Microsoft has released a guidance document on new speculative execution vulnerabilities in Intel processors, as well as a full technical analysis including mitigation options. Patches have been released, but require registry configuration to enable all mitigations. Exploitation of this vulnerability can allow VM guests to retrieve data from other guests, as well as process-to-process, which is similar to Meltdown.
Adobe has also released patches covering Flash, Acrobat/Reader, Experience Manager, and Creative Cloud. Two vulnerabilities in Acrobat and Reader have been marked as Critical. While Adobe ranks the Flash update as Important, Microsoft ranks it as Critical.