Patch Tuesday: May Has Two In The Wild

Patch Tuesday: May Has Two In The Wild

Patch Tuesday: May Has Two In The Wild

Top of mind for our Vulnerability Management team is the revelation from Microsoft that hackers are currently playing with two zero-day vulnerabilities.

The firm issued a total of 66 CVE issues in its May Patch Tuesday update related to Microsoft Windows, Internet Explorer, Edge, Office, and Exchange Server among others. We noted nothing alarming on the Adobe front, with three patches released to address five CVE’s for their Flash, Connect and Creative Cloud Desktop Application.

Our focus is on those critical issues which are currently being exploited in the wild so let’s take a closer look…

CVE-2018-8174 – Windows VBScript Engine Remote Code Execution Vulnerability

“Double Kill”

This is one of two zero day vulnerabilities this month. For those not familiar, a zero-day exploit is a vulnerability used by attackers before an official patch is made available by the vendor, giving zero warning to fix!

Chinese security researchers at Qihoo Security reported the vulnerability to Microsoft in mid April and it has the potential to be heavily abused by hackers. Dubbed “Double Kill”, this vulnerability exists in the Windows VB script engine and is being delivered via a malicious Microsoft Word document. If a user opens the file, Internet Explorer is started silently in the background and ultimately leads to an executable being downloaded and executed without any warning. This is likely to be ransomware or other software used to take over the system.

Kapersky lab cautions this could be an APT (advanced persistent threat), so this is definitely the time to keep on top of the latest security updates and remind your users to be cautious when opening attachments, especially from unknown sources!

CVE-2018-8120 – Win32k Elevation of Privilege Vulnerability

This second zero day vulnerability resides in older Windows OS versions (Windows 7, Server 2008, Server 2008 R2), and is being exploited actively by malware (though Microsoft did not give much detail on how widespread). If you are running older Windows versions this should be the red flag to plan your OS upgrade sooner rather than later!

To exploit this, an attacker must first be logged on to a system to run a specially crafted file to gain elevated privileged access. According to Microsoft, the attacker could then have full permissioned access to install or remove programs, add users, view, change, or delete data. In addition to that overdue OS upgrade, good housekeeping will mitigate potential exploits of this vulnerability so remember to regularly review local and domain administrator rights.

RDP Issue Caused by Patching This Month

When testing patches in our UAT environment this week we came across an issue caused by CVE-2018-0886, where a patched PC is unable to remote onto an unpatched PC or server. According to Microsoft, they began the process of rolling out an update to CredSSP used in remote desktop connections in March to mitigate the risk of attack. This month, the updates mandate that a patched machine is unable to remote onto an unpatched machine without making a change to the registry. Although this will work as a temporary fix, we advise patching all servers/desktops in your estate as quickly as possible to avoid your helpdesk drowning in RDP related calls.

— Sophie McDonald, Options Security Specialist

Leave a Reply

Your email address will not be published. Required fields are marked *