Microsoft Fixes 11 Critical Flaws, Readies Patches for Spectre Variant 4

Microsoft has fixed 50 vulnerabilities in its products during this month’s Patch Tuesday, 11 of which are rated critical. The company has also released mitigation for the new Spectre variant announced last month, known as Spectre Variant 4 or Speculative Store Bypass.

One of the critical flaws is located in the Windows Domain Name System (DNS) DNSAPI.dll and is caused by improper handling of DNS responses. An attacker could exploit the vulnerability by sending corrupted DNS responses to the target from a malicious DNS server, leading to remote code execution.

Windows laptops and other devices that connect to unsecured wireless networks are particularly exposed to this vulnerability because attackers could hijack their DNS traffic and spoof responses to trigger the flaw.

Another critical remote code execution vulnerability is located in the HTTP Protocol Stack (HTTP.sys), a kernel-mode protocol listener used by the IIS web server and various other Windows services. The vulnerability can be exploited by unauthenticated attackers by sending specially crafted packets to a vulnerable HTTP.sys server. Server administrators should prioritize the patch for this flaw.

The remaining critical vulnerabilities are located in Microsoft’s browsers, the Windows Scripting Engine and Windows Media Foundation and can be exploited by tricking users to visit malicious web pages or to open specially crafted documents. Due to their nature, these flaws are particularly dangerous for workstation-type computers.

It’s worth noting that one of critical flaws patched in the Windows Scripting Engine, CVE-2018-8267, was partially disclosed two weeks ago by the Zero Day Initiative because Microsoft exceeded the standard deadline of 120 days that ZDI gives vendors to release patches.

On Patch Tuesday, Microsoft also distributed the Flash Player update released by Adobe last week that fixes a critical vulnerability already being exploited in the wild.

Finally, the company released mitigations for Speculative Store Bypass, a new variant of the Spectre CPU attack that was publicly disclosed last month. The patches, which implement support for a new hardware feature in Intel processors called Speculative Store Bypass Disable (SSBD), are available for Windows 10, Windows Server 2016, Windows Server 2012 R2, Windows 7 and Windows Server 2008 R2.

However, the mitigation is disabled by default because using the new feature requires a CPU microcode update and has a significant performance impact. Users who wish to turn it on should follow the instructions Microsoft provided in an advisory.

Microsoft also warned application developers that it’s no longer considered cryptographically safe to use Cipher-Block-Chaining (CBC) mode for symmetric encryption without additional data integrity checks. Doing this could allow attackers to decrypt data encrypted with CBC block ciphers without knowing the encryption key by using a so-called “padding oracle” attack.

“The potential issue can apply to either data at rest or data in transit, and Microsoft recommends that any data which has confidentiality in transit needs be transmitted over Transport Layer Security (TLS, the successor to Secure Sockets Layer (SSL)),” the company said in an advisory. “Applications which are unable to change their messaging format but perform unauthenticated CBC decryption are encouraged to try to incorporate mitigations.”

The mitigation consists of combining CBC block ciphers with a keyed-hash message authentication code (HMAC) or other data integrity check that is validated using a constant time comparison. In addition to its advisory, the company published guidance on how to identify and fix this problem in .NET applications, which are widely used in the enterprise space.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin