Microsoft Patches Two Actively Exploited Zero-Day Vulnerabilities
Microsoft fixed 67 vulnerabilities across its products May 8, including two vulnerabilities that were already being exploited in the wild.
The most serious and urgent issue was a remote code execution vulnerability in the Windows VBScript engine tracked as CVE-2018-8174. This flaw was found by researchers from Qihoo 360 last month in a targeted attack that used a malicious Word document with an embedded web page.
At the time, the researchers dubbed it “double kill” and warned that it affected the latest versions of Internet Explorer and other applications that use the IE engine to display web content, such as Microsoft Word.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website,” Microsoft said in its advisory. “An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements.”
A second actively exploited vulnerability is located in the Win32k component and can lead to privilege escalation if an attacker already has access to a computer. Tracked as CVE-2018-8120, the flaw was reported by Anton Cherepanov, a senior malware researcher at antivirus vendor ESET.
There were two other vulnerabilities for which details were publicly disclosed before being patched, but which haven’t been exploited in the wild yet. One of them, CVE-2018-8170, allows privilege escalation on Windows 10 versions 1703 and 1709, while the other, CVE-2018-8141, can lead to information disclosure on Windows 10 version 1709.
In the context of virtualized systems, there were two critical vulnerabilities patched in Hyper-V: CVE-2018-0961 and CVE-2018-0959. Both of the flaws can be exploited from inside guest operating systems to execute arbitrary code on the host.
One privilege escalation, tracked as CVE-2018-8897 and patched in the Windows kernel, is particularly interesting because it stems from an issue that affects many other operating systems, including macOS, Linux and BSD variants.
According to the CERT Coordination Center, the bug is the result of how developers interpreted some of the documentation for certain Intel architecture interrupt/exception instructions. Disclosure of the flaw was coordinated among operating system and hypervisor vendors in a similar manner to the Meltdown and Spectre bugs.
“In certain circumstances after the use of certain Intel x86-64 architecture instructions, a debug exception pointing to data in a lower ring (for most operating systems, the kernel Ring 0 level) is made available to operating system components running in Ring 3,” CERT/CC said in an advisory. “This may allow an attacker to utilize operating system APIs to gain access to sensitive memory information or control low-level operating system functions.”
Overall, Microsoft’s patches in May fixed 21 vulnerabilities rated critical, 19 of which can lead to remote code execution. Affected products include Windows, Internet Explorer, Microsoft Edge, ChakraCore, .NET Framework, Microsoft Exchange Server, Windows Host Compute Service Shim and Microsoft Office.
Report Shows Surprising Decline in Data Breaches
A newly published quarterly data breach report from Risk Based Security shows a significant decline in the number of breaches reported over the first three months of 2018 compared to the same period last year: 686 compared to 1,444.
The jury’s still out on whether this is a trend or a one-time deviation, especially since the number of compromised records remain high at 1.4 billion and not much has changed in terms of breach types, origin and who discovers them.
“Other than the dip in the number of data breaches reported, Q1 2018 was very much in lockstep with recent quarters,” said Inga Goddijn, executive vice president at Risk Based Security. “If there was a truly seismic shift in breach activity we would expect other metrics to show some signs of change as well.”
The good news is that the average time between when a breach is discovered and when it’s publicly reported has continued to decline over the years, reaching 37.9 days. However, this is still far off from the requirement under the EU’s General Data Protection Regulation (GDPR) to report breaches within 72 hours of discovering them.
