Microsoft’s Patch Tuesday updates for August 2018 address 60 vulnerabilities, including two zero-day flaws affecting Windows and Internet Explorer.
One of the actively exploited vulnerabilities is CVE-2018-8414, which Microsoft learned of from Matt Nelson of SpecterOps. Nelson disclosed the details of the bug in June after Microsoft told him that “the severity of the issue is below the bar for servicing and that the case will be closed.”
Proofpoint then revealed in July that a financially-motivated threat actor tracked by the company as TA505 had been exploiting the flaw to deliver the FlawedAmmyy RAT.
Microsoft described the issue as a Windows Shell remote code execution vulnerability that can be exploited by getting the targeted user to open a specially crafted file. The company says the flaw impacts Windows 10 and Windows Server (versions 1709 and 1803).
According to Trend Micro’s Zero Day Initiative (ZDI), the same vulnerability also impacts Adobe Acrobat Reader. ZDI researcher Abdul-Aziz Hariri reported the weakness to Adobe, which also released a patch for it on Tuesday.
“The Acrobat patch blocks the embedding of certain files types – a tactic Microsoft has already done with Office 365 docs,” ZDI explained in a blog post published after the patches were released. “This [Microsoft] patch prevents the bypassing of traditional file execution restrictions within Windows. It’s fascinating to see exploit authors combine different products to evade detection and proliferate their malware.”
The second zero-day vulnerability patched on Tuesday by Microsoft is CVE-2018-8373, a remote code execution flaw that exists due to how the scripting engine in Internet Explorer handles objects in memory.
The security hole was reported to Microsoft by Elliot Cao of Trend Micro Security Research, but Trend Micro has yet to make any information public on the attacks it has seen.
On the other hand, the security firm did reveal that CVE-2018-8373 is very similar to CVE-2018-8174, which Microsoft patched in May. CVE-2018-8174 had been exploited by an unnamed advanced persistent threat (APT) actor when it was fixed.
“[The vulnerability] used a new UAF vulnerability in vbscript.dll. This UAF occurs when the VBScript engine uses AssignVar to assign a value to the element of an array accessed by AccessArray,” ZDI explained. “Interestingly, the previous CVE was also being actively exploited when patched. In other words, if there are similar bugs to this one, they will likely be found and exploited, too.”
A total of 20 vulnerabilities patched this month by Microsoft have been rated “critical” and, unsurprisingly, many of them impact Edge and Internet Explorer. Remote code execution flaws discovered in SQL Server, Exchange, and Windows have also been assigned a “critical” severity rating.
Some of the more interesting vulnerabilities patched by Microsoft this month, whose details were disclosed shortly after the tech giant pushed out the security updates, include an Active Directory Federation Services (ADFS) issue discovered by Okta and an Exchange RCE flaw reported by an anonymous researcher through ZDI.
UPDATE. Trend Micro has published technical details and information on the attacks involving CVE-2018-8373
“Attribution is always difficult, but it seems clear whomever is behind these attacks are determined actors. When their first exploit was patched (CVE-2018-8174), they were able to develop the newer CVE-2018-8414 to continue their campaign. While we can’t with 100% certainty say these bugs are from the same people, the similarities seem more than coincidental. It would not shock me to see further exploits from this group,” Dustin Childs, communications manager for the ZDI, told SecurityWeek.