June 12th was Microsoft Patch Tuesday, and the software vendor released a selection of updates to mitigate vulnerabilities which affect a number of products, including Windows OS, Internet Explorer and Edge browsers, MS Office and MS Office services, and Cortana.
Altogether Microsoft rolled out 50+ security patches; 11 of them patching vulnerabilities categorized as a “critical” severity level and 39 listed as “important” in Microsoft Security Update guide. This article outlines the details of the most important security updates included in this month’s batch.
Researchers from Talos Intelligence identify this vulnerability as one of the most significant among those marked as critical. Remote code execution (RCE) is a class of attacks allowing adversaries to execute their harmful code on the affected computer or device. Adversaries exploit system vulnerabilities to gain foothold on the system and run their own code or commands, effectively taking control of the device. Malware executes code either with user privileges or higher by attempting privilege escalation attacks to access system controls or processes as admin or other privileged account. Malicious code may be launched from an attacker’s machine or a server on the target computer.
What Does the RCE Affect?
This particular vulnerability pertains to Windows Domain Name System (DNS). DNS is one of the most vital systems on the internet as we know it. Internet and Windows networks use IP addresses as a means of locating and recognizing computers and servers to exchange data. IP addresses, like 184.108.40.206 are obviously harder to remember than domain names (hostname) like play.google.com. DNS is tasked with resolving hostnames to numerical IP addresses, used by networks, so that we won’t need to memorize them. This happens every time we type a domain name in the browser requesting a certain hostname. A DNS server will do the rest by searching the records to find the matching IP. Once the IP is found, a resolver sends a response, so your browser may connect to it and load the website. You can think of the DNS as a “phonebook” of domain IPs. Furthermore, things are not limited to your browser, applications and services running on your machine perform DNS requests continuously in the background.
The RCE vulnerability in question is related to Windows Domain Name System DNSAPI.dll inadequately handling DNS responses, which allows adversaries to send malicious packets to victims from the DNS server they took over or the machine that fakes the DNS server on open WiFi networks. Attackers may be able to execute arbitrary code on Windows PC and Windows servers alike in the context of a local system account. Here’s what researcher Dustin Childs from Zero Day Initiative pointed out:
This bug clearly wins for most critical this month. This vulnerability could allow an attacker to execute code at the local system level if they can get a crafted response to the target server. There are a couple of ways this could happen. The attacker could attempt to man-in-the-middle a legitimate query. The more likely scenario is simply tricking a target DNS server into querying an evil server that sends the corrupted response—something that can be done from the command line. It’s also something that could be easily scripted. This means there’s a SYSTEM-level bug in a listening service on critical infrastructure servers, which also means this is wormable. “Patch Now” doesn’t even seem forceful enough
While Microsoft has identified that exploitation of this vulnerability in the wild as less likely at the time of publication, patches for this vulnerability should be of utmost priority. Its “wormable” status means that there is a possibility of spreading to other unpatched machines across the network. Affected Microsoft products include:
- Windows 10 (32 and 64 bit), builds 1607,1703,1709,1803 ,
- Windows 8.1 (32 and 64 bit)
- Windows 7 (32 and 64 bit), SP1
- Windows Server 2008 (32 and 64 bit) SP2,SP1 (including Itanium based systems),Server Core Installation
- Windows Server 2012, R2, Server Core Installation
- Windows RT 8.1
- Windows Server 2016, builds 1709,1803, Server Core Installation
Yet another RCE vulnerability fix released by Microsoft this month relates to HTTP Protocol Stack, specifically the HTTP.sys component. In Windows, HTTP.sys is responsible for processing HTTP requests, including those from the machine’s browsers. Due to specifics of its implementation, HTTP.sys allows devices to process requests at higher speeds. However, an attacker may exploit the vulnerability in question by sending a malicious packet to target the HTTP.sys server causing improper handling of objects in the memory. Similar to the previous RCE vulnerability, this weakness will also let the attacker execute arbitrary code, taking over the system. In his comment, Childs noted that HTTP.sys runs with elevated rights and that a hacker’s code will execute within same privileged context in the event of attack. Affected Microsoft products include:
- Windows 10 (32 and 64 bit), builds 1607,1703,1709,1803
- Windows Server 2016, builds 1709,1803, Server Core Installation
Remote Code Execution Vulnerabilities in Internet Explorer and Edge Browsers
Aside from the issues described above, there are several browser-specific issues addressed by Microsoft.
Microsoft Patches Critical Memory Corruption Bug in Internet Explorer 11
CVE-2018-8249 was assigned a “critical severity” level, involving memory corruption in IE 11. This vulnerability may be exploited by an adversary when IE improperly handles objects access in the memory, allowing execution of arbitrary code with the rights of the current user. That said, an attacker may gain admin rights if the victim is running their PC with administrator privileges while an attack is underway. From there, a hacker may gain full control over the machine.
The Microsoft advisory describes possible attack vectors including that an attacker can create a website crafted to exploit the vulnerability, using a compromised website, or placing content like malicious ads or objects on certain websites. The bottom line is that regardless of their method of choice, attackers still need to manipulate users to open a malicious page in their IE browser in order to exploit the vulnerability and execute harmful code. Some of the social engineering and manipulation tactics may include sending phishing emails impersonating a trusted party, asking users to click a link or open an attachment. In their exploitability assessment, Microsoft evaluates the possibility of this CVE as “More likely” for both the most recent and older software versions. The affected Microsoft products, include: Internet Explorer 11 on the following Windows versions:
- Windows 8.1 (32 and 64 bit), RT
- Windows (32 and 64 bit) SP1
- Windows Server 2008 R2 (64 bit) SP1
- Windows Server 2012 R2
Related Internet Explorer RCE Vulnerability
The CVE-2018-0978 has been rated with a severity grade ranging from “low” to “important” and affects IE versions 9-11 on a range of Microsoft platforms. This vulnerability is also patched by this month’s updates.
Security Patches for Edge browser
Software vendor released three security updates dealing with critical issues which may arise in case of memory corruption exploitation leading to arbitrary code execution by attackers. Based on the description provided by Microsoft, attack consequences resemble those described above for IE browser. Further security update details: