Microsoft Patches Zero Days

Wednesday, August 15, 2018 @ 01:08 PM gHale

It is Patch Tuesday week and Microsoft applied salve to over 60 vulnerabilities, two of which are Zero Days.

In addition to those, the company also had a critical update advisory that addresses vulnerabilities found and patched in Adobe Flash.

Microsoft Fixes .NET after July Patch Snafu
Patch Tuesday Fixes 53 Holes
Patch Tuesday Fixes 11 Critical Holes
Patch Tuesday Clears 2 Zero Days

The two patched Zero Days are:
• A vulnerability in Windows Shell (CVE-2018-8414) a user can deploy by opening a specially crafted file allowing the attacker to run arbitrary code in the context of the current user. It is being exploited through malicious PDF files, but any filetype can do the trick. The vulnerability ended up patched out-of-band on August 2, but it was updated in the release.
• A remote code execution vulnerability (CVE-2018-8373) affecting the scripting engine in Internet Explorer that can end up leveraged either via a specially crafted website, specially crafted content or ads on websites, or via an embedded ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine.

A Windows RCE vulnerability (CVE-2018-8345) could allow remote code execution if a malicious .LNK file is processed.

Another critical flaw is a memory corruption vulnerability (CVE-2018-8345) affecting Microsoft Exchange that could lead to remote code execution. Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Exchange server.

There is also a vulnerability in Microsoft Active Directory Federation Services (ADFS) (CVE-2018-8340) that could allow attackers to bypass multi-factor authentication safeguards employed by enterprises.

Leave a Reply

You must be logged in to post a comment.