Hackers could be currently exploiting one of the Windows vulnerabilities addressed in Patch Tuesday.
On Tuesday, Microsoft issued patches for two vulnerabilities presently being leveraged by hackers. The most pressing of these—CVE-2018-8174—is a vulnerability in the VBScript engine, which can be exploited with relative ease in a Microsoft Office document that uses an ActiveX control, as well as Internet Explorer (IE) and any other software using the Trident rendering engine. Taken together, this is a rather vast attack surface for enterprise users.
The exploit was originally discovered by researchers at Kaspersky Lab, who highlight the relative novelty of the vulnerability in their description—it uses a URL Moniker executed by Word to load mshtml.dll, which the researchers indicate is the first time this technique has been used. While most users of Windows use an alternative browser, this method permits the attacker to bypass the default browser selection, forcing IE to load. The researchers speculate that the technique is likely to be leveraged by "drive-by (via browser) and spear-phishing (via document)" attacks in the near future, according to their report.
Neither Kaspersky Lab nor Microsoft have disclosed details of the attack they have observed leveraging this vulnerability, though Microsoft noted in its bulletin that attackers exploiting this vulnerability can gain the same user rights as the logged in user. As such, if a given user has administrator level access, "an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft wrote in the bulletin.
Similarly, the CVE-2018-8120 vulnerability in Win32k.sys is being actively exploited, which allows attackers to run arbitrary code in kernel mode. This vulnerability only affects Windows 7, Windows Server 2008, and Windows Server 2008 R2, the bulletin said. No details have been published about the active campaign leveraging this vulnerability. Exploiting this vulnerability requires a logged-in user to run a program.
Adobe also issued a patch for CVE-2018-4944, which allows for arbitrary code execution (at user level) if exploited. While this is not known to be actively exploited in the wild, anything that embeds the Flash runtime—both the Flash Player Desktop Runtime, as well as Flash for Microsoft Edge and Internet Explorer 11—will be affected on Windows, as is Chrome on Windows, Linux, and OS X.
In a much more wide-ranging problem, a widely-held misunderstanding of a statement in the Intel 64 and IA-32 Architectures Software Developer Manual requires patching of the kernels for Windows, Linux, OS X, and FreeBSD. The vulnerability, which allows attackers to read kernel memory, control a given OS, or cause kernel panics, is categorized as CVE-2018-8897. The issue revolves around unexpected behavior and potentially incomplete documentation of the "POP SS" instruction, which is better left explained by Nick Peterson, a researcher at Everdox Tech and Anti-Cheat Engineer at Riot Games who discovered the vulnerability:
When the instruction, POP SS, is executed with debug registers set for break on access to that stack location and the following instruction is an INT N, a pending #DB will be fired after entering the interrupt gate, as it would on most successful branch instructions. Other than a non-maskable interrupt or perhaps a machine check exception, operating system developers are assuming an uninterruptible state granted from interrupt gate semantics. This can cause OS supervisor software built with these implications in mind to erroneously use state information chosen by unprivileged software.
Peterson notes that this functionality was designed around the time of the Intel 8086, but that this type of segmentation "is in little use today." Microsoft has issued patches for Windows 7, 8.x, and 10, as well as in Windows Server. Similarly, the issue was patched in Linux in March, as well as in Mac OS in Security Update 2018-001. Hypervisor platforms are also potentially susceptible as well, with Xen and Citrix issuing patches. VMware vCenter Server is only "potentially affected" according to the company.
The big takeaways for tech leaders:
Researchers claim that a novel vulnerability discovered in VBScript, which can be exploited in Microsoft Office documents, as well as Internet Explorer and similar browsers, is likely to be very widely leveraged by attackers in the future.
A widely-held misunderstanding in low-level processor operation led to the kernels of Windows, Linux, and OS X being vulnerable to privilege escalation.