It’s October 2018, and Exchange can be pwned by an 8 year-old… bug

Microsoft has released the October edition of its monthly security update, addressing a total of 49 CVE-listed bugs.

DLL bug a blast from the past

Among the 49 fixes were three issues that have already been publicly disclosed and a fourth that was being targeted in the wild. On top of that, a remote code execution bug in Exchange Server is the resurfacing of a vulnerability first found in 2010.

CVE-2010-3190 is a remote code execution bug created by insecure handling of DLL files in applications made with Microsoft Foundation Classes. The issue was covered extensively by Microsoft back in 2010, but because these sort of flaws are notoriously difficult to root out, the issue was only recently found in Exchange Server 2010 SP3, 2013, and 2016.

Kaspersky Labs took credit for discovering and reporting the active attacks on CVE-2018-8453. This elevation of privilege flaw in the way Win32K handles drivers allows attackers to run their code with kernel mode access, granting the ability to do things like create new accounts and full ability to write or delete data.

Also publicly reported, but not exploited, were CVE-2018-8423 a remote code execution bug in JET Database Engine for Windows, CVE-2018-8497 a Windows Kernel Elevation of Privilege vulnerability and CVE-2018-8531, a remote code execution flaw in Azure IoT device client that would be exploited via a malicious email or message attachment.

Dustin Childs, researcher with Trend Micro’s Zero Day Initiative, singled out CVE-2018-8492, a security bypass flaw in Device Guard, as a particularly dangerous issue that admins should pay special attention to.

“This patch corrects a vulnerability that could allow an attacker to inject malicious code into a Windows PowerShell session,” Childs explained.

“This may not seem too bad on the surface, but it’s just the type of thing used by fileless malware.”

Microsoft is also warning that two remote code execution flaws in Hyper-V, CVE-2018-8489 and CVE-2018-8492 can be exploited by guest VMs to execute code on the host machine, and should also be a priority for admins.

As is often the case, Microsoft’s Edge and Internet Explorer browsers, along with the Chakra Scripting Engine for Edge, were the subject of a number of critical remote code execution bugs that would be targeted via malicious websites.

For Office, Microsoft posted patches for security feature bypass flaws in PowerPoint (CVE-2018-8501), Excel (CVE-2018-8502), and Word (CVE-2018-8504).

Adobe delivers second patches of the month

Hot on the heels of last week’s giant Acrobat and Reader security update, Adobe has posted fixes for vulnerabilities in four of its products.

For Digital Editions, the update will patch nine CVE-listed vulnerabilities that could allow remote code execution. The Adobe Experience Manager update addresses five cross-site scripting vulnerabilities, while an update for Framemaker includes fixes for a single privilege escalation flaw.

Finally, a fix for the Adobe Technical Communications Suite addresses a single privilege escalation flaw from insecure library handling.

Don’t forget Android

While you’re out there installing patches, it’s worth noting that last week Google also posted its October security bulletin for Android with new fixes, including a number of remote code execution bugs in the Media framework and and System components.

Google will get the update out to its branded devices, while other Android devices will need to be updated through their respective vendors. ®