Patch Tuesday: Foreshadow Casts Its Shade

Patch Tuesday: Foreshadow Casts Its Shade

Patch Tuesday: Foreshadow Casts Its Shade

It may still be vacation season, but this month’s Patch Tuesday has confirmed that security doesn’t take a holiday! Microsoft have addressed 12 critical vulnerabilities and of course, the casting of Foreshadow.

In an already challenging year for CPU manufactures, there is now a third major chip flaw to add to Spectre and Meltdown. Dubbed Foreshadow, this latest vulnerability impacts Intel’s Core and Xeon CPUs, potentially granting hackers access to unauthorised systems.

Foreshadow operates by taking advantage of Speculative Execution technology – the part of a chip’s design that predicts and processes actions ahead of time and improves overall processing speed. Unfortunately, researchers have discovered that this feature is also vulnerable!

There are 3 varieties to this vulnerability, but there is some good news as vendors have released patches to help mitigate risk:

– Affects Intel Software Guard Extensions (SGX) – CVE-2018-3615 – L1 Terminal Fault: SGX

– Affects Operating Systems & System Management Mode – CVE-2018-3620 – L1 Terminal Fault: OS/SMM

– Affects Hypervisor Software – CVE-2018-3646 – L1 Terminal Fault: VMM

While further details can be found on the Intel site, it’s also worth noting that, as it stands, these vulnerabilities appear linked to Intel processors only.

In other news, two Zero Day Microsoft vulnerabilities have been exposed this month.  The first highlights more issues within Internet Explorer, and the second addresses a flaw in Control Panel shortcuts.

CVE-2018-8373 – Internet Explorer Memory Corruption Vulnerability

Microsoft describes this as “a remote code execution vulnerability [that] exists in the way that the scripting engine handles objects in memory in Internet Explorer.” This vulnerability is open to web or email driven attacks which could provide unauthorised and unrestricted access to impacted systems.

CVE-2018-8414 – Windows Shell Remote Code Execution Vulnerability

This vulnerability relates to Windows Shell not validating file paths that can result in an attacker being able to “install programs; view, change, or delete data; or create new accounts with elevated privileges.”

As expected, both are most effective when targeted against users with administrative privileges. Options’ advice, as always, is to follow ‘least privilege’ best practices.

Rounding off the rest of this month’s releases, we have the usual host of Microsoft Office patches as well as browser updates for Chrome and Firefox. We’ve only seen 13 Adobe vulnerabilities addressed in August’s Patch update – a far cry from the 104 in July!

Patrick Collins, Vulnerability Management

Leave a Reply

Your email address will not be published. Required fields are marked *