Microsoft BugFixes April

Microsoft Fixes 66 Bugs in April Patch Tuesday Release

Target: Users using the affected software.

Attack Vector: Various methods of delivery.

Summary: Microsoft Patch Tuesday updates have been released for April including 66 CVE listed vulnerabilities, 24 of which are rated critical. The count of patches are fewer than recently observed, however, the number of vulnerabilities rated critical has increased by almost 50 percent, the majority of these being in browsers and browser-related technologies. The security updates were rolled out across numerous pieces of software, with elevation of privilege, bypass and remote code execution vulnerabilities making up a large portion of this month’s issue.

One of the most notably important flaws Microsoft focused on is an elevation privilege bug, CVE-2018-1034, which could allow an authenticated attacker to install programs, access stored data or create new accounts with full user rights on Windows 7 and Server 2008 R2 machines. Five font based flaws were also a major focus for Microsoft this month that could allow attackers to take control of the victim’s system through specially crafted websites and fonts. Furthermore, a Microsoft Wireless Keyboard 850 Security Feature Bypass Vulnerability, CVE-2018-8117, has also been observed, which could allow an attacker to log keystrokes.

Risk assessment summary: The threat is assessed as 4c LOW. Although there are several vulnerabilities in this release which could potentially be exploited by actors and an increase in critical vulnerabilities compared to last month, there is only one zero-day flaw. This flaw is identified as CVE-2018-1034 which is most likely used for cross-site scripting attacks. The elevation of privilege vulnerability leaves users at risk who installed the security updates in January and can only be fixed by the user installing the new service updates. The Microsoft Wireless Keyboard 850 Security Feature Bypass Vulnerability has been patched by Microsoft who have enhanced the security by mandating unique AES encryption keys. The last vulnerability detailed is the remote code flaw in the Microsoft Malware Protection Engine. Microsoft released an emergency patch to mitigate this flaw earlier in the week.

Microsoft Malware Protection Engine

Microsoft issued out-of-band patch to fix Malware Protection Engine flaw

Target: Users with Microsoft Malware Protection Engine

Attack Vector: Email and websites

Summary: Microsoft Malware Protection Engine is the core component for malware detection and cleaning for several Microsoft anti-malware products. Microsoft released an emergency security update via Windows Update that fixes CVE-2018-0986, a flaw that could be exploited by attackers to execute malicious code on a Windows system with system privileges to gain the full control of the vulnerable machine.

Risk assessment summary: The threat is assessed as 3e MODERATE and the likelihood has been rated as possible. Successful exploitation of the vulnerability can allow the attacker to take control of the victim’s machine permitting them to install programs; view, change, or delete data and create new accounts with full user rights. However, Microsoft have released an emergency patch to mitigate this flaw which can silently deliver the necessary patches without needing user interaction as Microsoft decoupled MMPE component updates from OS updates.