Microsoft's May 2018 Patch Tuesday update fixes a critical remote code execution flaw that has been used in attacks on Internet Explorer users cross the world.
Microsoft’s May update includes fixes for 67 security flaws, including 21 critical flaws, 45 important flaws, and two low severity issues. Notable critical flaws affect Microsoft’s browser scripting engine, its Hyper-V virtualization framework, Internet Explorer, and a Windows 10 security feature bypass revealed in April by Google's Project Zero.
The update includes patches for two flaws that are already being exploited in the wild, one of which was being used by an advanced persistent threat (APT) attack group to target Windows users through Internet Explorer (IE).
The IE attacks were revealed in April by the Qihoo 360 Core Security team, which said a “double kill” vulnerability bundled with malicious Office documents was being used to compromise IE users on a “global scale”. Victims that opened the Office document would silently be infected via a malicious webpage opened in the background.
Microsoft at the time didn't confirm the vaguely detailed bug but now appears to have filled in a few gaps in an advisory that credits Qihoo 360 Core Security.
Microsoft says a remote code execution vulnerability lies in the Windows VBScript engine, potentially allowing an attacker to execute arbitrary code and gain full control of the system if the user was logged in as an administrator.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website,” Microsoft notes in an advisory for the bug CVE-2018-8174.
“An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”
Microsoft has also released a fix for a bypass vulnerability in a Windows security feature called Device Guard that notably affects devices in Windows 10 S locked-down mode.
Researchers at Google’s Project Zero revealed the Device Guard bypass on April 19 following failed attempts by Microsoft to negotiate a deferral of disclosure until the Windows 10 April 2018 Update, which was first released to Windows 10 users on April 30.
Microsoft was unable to provide a fix prior to Project Zero’s 90 day deadline and had also asked Google not to disclose the bug until its May Patch Tuesday release.
Though it's one more instance of the two tech giants locking horns over disclosure norms, it's not a dangerous bug. Google rated the issue as a “medium” severity issue in part because other un-patched bypasses are publicly known while Microsoft rated the issue as “important”. It has been assigned the vulnerability identifier CVE-2018-1039.
“To exploit the vulnerability, an attacker would first have to access the local machine, and then run a malicious program,” Microsoft said in its advisory. The patch addresses the .NET framework issue in Windows 10 through to Windows 7 and Windows Server 2016 to Windows Server 2012.
The other flaw that has been exploited in the wild prior to today’s updates relates to a Win32k vulnerability that allows an attacker to elevate privileges.
“An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft notes.