Microsoft Patch Tuesday for May Includes Updates for Actively-Exploited Vulnerabilities

For May 2018, Microsoft’s monthly release of security updates — also known as Patch Tuesday — addressed a number of vulnerabilities, most notably two vulnerabilities that were already actively exploited in attacks.

One of these vulnerabilities is CVE-2018-8174, which is a remote code execution flaw in the way the VBScript engine handles objects in memory. Exploiting this vulnerability results in a system memory corruption that could potentially allow an attacker to gain administrative rights via arbitrary code execution. The attacker can then manipulate the system for malicious purposes. Trend Micro’s Zero Day Initiative (ZDI) also noted that the vulnerability bears similarities to CVE-2018-1004, which was patched during the last update. There have also been reported attacks exploiting this vulnerability by threat actors.

The second vulnerability, CVE-2018-8120, is an elevation of privilege vulnerability that exists in Windows when the Win32k component fails to handle objects in memory properly. An attacker who successfully exploits this vulnerability can run arbitrary code in kernel mode to install programs, manipulate data, or even create new accounts with full user rights in the user’s system. Although there have been reports that the malware is actively being exploited, there is no information as of yet on the impact of the exploitation.

Other notable vulnerabilities addressed in this round of updates include the Hyper-V Remote Code Execution vulnerability CVE-2018-0959 and the Hyper-V vSMB Remote Code Execution vulnerability CVE-2018-0961. While the cause of the bugs is different for the two vulnerabilities, both could allow an attacker using a guest operating system (OS) to elevate privileges and execute code via a specially crafted program running on the guest OS.

This month’s Patch Tuesday includes eleven vulnerabilities disclosed via Trend Micro’s ZDI:

Alongside, Adobe also released their own set of security updates, which include:

APSB18-12: An update that addresses a vulnerability in the validation of certificates used by Creative Cloud desktop applications (CVE-2018-4991), and an improper input validation vulnerability (CVE-2018-4992) that could lead to privilege escalation
APSB18-16: An update that addresses critical vulnerabilities in Adobe Flash Player 29.0.0.140 and earlier versions
APSB18-18:An update for Adobe Connect that addresses the authentication bypass vulnerability CVE-2018-499

Trend Micro Deep Security and Vulnerability Protection protect user systems from any threats that may target the vulnerabilities mentioned above via the following DPI rules:

1009058 – Detected Server Message Block (SMB) Outgoing Request
1009067 – Microsoft Windows VBScript Engine Remote Code Execution Vulnerability (CVE-2018-8174)
1009068 – Microsoft Edge Memory Corruption Vulnerability (CVE-2018-8179)
1009072 – Microsoft Office Remote Code Execution Vulnerability (CVE-2018-8158)
1009073 – Microsoft Office Remote Code Execution Vulnerability (CVE-2018-8157)
1009075 – Microsoft Excel Multiple Remote Code Execution Vulnerabilities (May-2018)
1009076 – Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2018-8133)
1009078 – Microsoft Edge Memory Corruption Vulnerability (CVE-2018-8123)
1009079 – Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2018-8122)
1009081 – Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2018-8114)
1009082 – Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2018-0955)
1009083 – Microsoft Internet Explorer And Edge Scripting Engine Memory Corruption Vulnerability (CVE-2018-0954)
1009084 – Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2018-0953)
1009085 – Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2018-0951)
1009086 – Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2018-0946)
1009088 – Microsoft Windows Multiple Elevation Of Privilege Vulnerabilities (May 2018)
1009094 – Microsoft Edge Out Of Bounds Read Vulnerability (CVE-2018-8137)

Trend Micro TippingPoint customers are protected from threats that may exploit the vulnerabilities via these MainlineDV filters:

31487: HTTP: Microsoft Edge Scripting Engine AppendChild Memory Corruption Vulnerability
31488: HTTP: Microsoft Edge Chakra Scripting Engine Proxy Memory Corruption Vulnerability
31489: HTTP: Microsoft Edge Scripting Engine Magic Value Memory Corruption Vulnerability
31490: HTTP: Microsoft Edge Scripting Engine DefineGetter Memory Corruption Vulnerability
31491: HTTP: Microsoft Internet Explorer Prototype Memory Corruption Vulnerability
31492: HTTP: Microsoft Internet Explorer __proto__ Memory Corruption Vulnerability
31493: HTTP: Microsoft Windows VBScript Engine Class_Terminate Use-after-Free Vulnerability
31494: HTTP: Microsoft Edge Scripting Engine Window Event Memory Corruption Vulnerability
31498: HTTP: Microsoft Edge RTCIceTransport Use-After-Free Vulnerability
31552: HTTP: Microsoft Edge CSS Use-After-Free Vulnerability
31554: HTTP: Microsoft Excel Use-After-Free Vulnerability
31555: HTTP: Microsoft Excel Use-After-Free Vulnerability
31556: HTTP: Microsoft Office Buffer Overflow Vulnerability
31557: HTTP: Microsoft Office Buffer Overflow Vulnerability
31558: HTTP: Microsoft Win32k Use-After-Free Vulnerability
31559: HTTP: Microsoft Excel Memory Corruption Vulnerability
31560: HTTP: Microsoft Windows CLFS Memory Corruption Vulnerability
31561: HTTP: Microsoft Windows Memory Corruption Vulnerability
31562: HTTP: Microsoft Win32k Elevation of Privilege Vulnerability
31563: HTTP: Microsoft Internet Explorer RegExp Replace Use-after-Free Vulnerability
31571: HTTP: Microsoft DirectX Graphics Kernel Integer Overflow Vulnerability
31572: HTTP: Microsoft Windows Memory Corruption Vulnerability
31573: HTTP: Microsoft Outlook Use-After-Free Vulnerability