Patch Tuesday: Not March Madness After All

Patch Tuesday: Not March Madness After All

Patch Tuesday: Not March Madness After All

It’s been nearly two months since the Meltdown and Spectre drama began and Microsoft is still churning out patches to protect against these vulnerabilities (luckily there are no known exploits).

In total, Microsoft has released a whopping 75 security patches for March covering Internet Explorer, Edge, ChakraCore, Microsoft Windows, Microsoft Office, and ASP.NET Core. 14 are listed as critical and 61 are rated important in severity.

Quite the tally, but nothing of any real alarm with only two of these bugs publicly known, and none flagged as under active attack. That said, we like to take extra caution with all public disclosures as enough information is out there for a hacker to get a head-start on coding an attack!

Here is our rundown of the vulnerabilities that caught our attention this month:

CVE-2018-0886 – CredSSP Remote Code Execution Vulnerability
This patch corrects a pretty interesting vulnerability. For those not familiar with the CredSSP, it’s an authentication provider that processes authentication requests for other applications. CredSSP passes the user’s full credentials to the server without any constraint. This is key to how an attacker would exploit the bug. For example, with a Remote Desktop (RDP) session, an attacker could perform a man-in-the-middle attack to take control of the session. Another important point is that the admin team must also enable Group Policy settings and update the Remote Desktop clients. While these settings are disabled by default, Microsoft does provide instructions to enable them.

CVE-2018-0940 – Microsoft Exchange Elevation of Privilege Vulnerability
This is one of the publicly known bugs for March and involves an elevation of privilege vulnerability within Exchange Outlook Web Access (Webmail). This patch corrects a bug in Webmail that fails to properly sanitize links presented to users. According to Microsoft, an attacker could use this vulnerability to replace a legitimate OWA interface with a fake login page. Once at the page, the user would be prompted to enter their real credentials, likely to be stored and used by the hacker. This kind of bug is likely to be used in phishing attacks against targeted users or a target organisation.

CVE-2018-0868 – Windows Installer Elevation of Privilege Vulnerability
This bug in the Windows Installer could allow an elevation of privilege due to the improper sanitization of input. The multiple logic bugs could result in code execution with elevated privileges. At first glance, this doesn’t seem very crucial since an attacker would need the ability to run programs on a target system to exploit this vulnerability. However, this type of bug is often used by malware authors to “piggyback” their malicious code on top of innocuous code. It’s always easier to convince someone to install ‘GreatNewGame.exe’ instead of ‘EvilMalware.exe.’

You know the saying, in like a lion, out like a lamb. Who knows what the rest of March has in store but with such a high vulnerability count this month, we thought we’d just leave this reminder here…

— Sophie McDonald, Options Security Specialist


Leave a Reply

Your email address will not be published. Required fields are marked *