Microsoft’s April Patch Tuesday release includes fixes for 66 bugs, 24 of which are rated critical. Notable is Microsoft’s disclosure of a publicly known SharePoint elevation of privilege bug (CVE-2018-1034), rated important, which has no fix but has not been publicly exploited.
Microsoft SharePoint Enterprise Server 2016 is the only version impacted by the vulnerability, according to Microsoft. “An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server,” Microsoft said.
“A public disclosure means that a vulnerability was discovered and enough detail about the vulnerability or concept code has been released to give attackers a jump start. It does not mean it has been used in the wild. Public disclosures are an indicator of risk. Enough information is out there to give the attacker an edge in creating an exploit to utilize this vulnerability,” said Chris Goettl, product manager at Ivanti regarding the SharePoint vulnerability.
Security experts say one of the most important patches rolled out Tuesday was actually identified in March (CVE-2018-1038). That’s when Microsoft released an out-of-band fix for a Windows vulnerability introduced with the January Patch Tuesday update. If exploited, the bug could allow an authenticated attacker to install programs, access stored data or create new accounts with full user rights on Windows 7 and Server 2008 R2 machines.
“While this vulnerability was identified between March and April Patch Tuesday’s, CVE-2018-1038 should be a top priority for anyone who has Windows 7 for x64-based Systems or Windows Server 2008 R2 for x64-based Systems, and you have installed any of the servicing updates released during or after January 2018, you need to install 4100480 immediately to be protected from this Elevation of Privilege vulnerability,” Goettl said in his commentary on Patch Tuesday.
“Patches for hardware are rare, and patches for keyboards are especially rare, so it was somewhat shocking to see this bug detailed. However, the severity of this bug should not be scoffed at,” the Zero Day Initiative’s (ZDI) Dustin Childs said in an analysis of the vulnerability. “This vulnerability could affect you in two ways. First, an attacker could read your keystrokes – effectively turning your keyboard into a keystroke logger. Everything you type – passwords, account details, emails – could be viewed.”
Alternatively, an attacker could also inject keystrokes to an affected system by reusing the keyboard’s AES encryption key.
Childs also warns that a critical Windows VBScript Engine Remote Code Execution Vulnerability (CVE-2018-1004) also presents a heightened security risk. “This critical-rated bug for the VBScript engine acts somewhat like a browser bug, but it’s actually more impactful,” he said. To exploit the vulnerability an attacker hosts a malicious website and tricks a victim to browse the site.
“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” according to Microsoft.
Microsoft also alerted users to five Graphics Remote Code Execution Vulnerabilities (CVE-2018-1010, -1012, -1013, -1015, -1016) tied to the Windows Font Library. “Each of these patches covers a vulnerability in embedded fonts that could allow code execution at the logged-on user level. Since there are many ways to view fonts – web browsing, documents, attachments – it’s a broad attack surface and attractive to attackers,” ZDI noted.
Jimmy Graham, director of product management at Qualys, noted in online commentary that, “The majority of the Microsoft critical vulnerabilities are in browsers and browser-related technologies. It is recommended that these be prioritized for workstation-type devices. Any system that accesses the Internet via a browser should be patched.”
Microsoft Malware Protection Engine was fixed last week in an out-of-band security update.
Earlier on Tuesday, Adobe fixed four critical vulnerabilities in its Flash Player and InDesign products as part of its regularly scheduled April Security Bulletin. Patches for Adobe Flash Player for Microsoft Edge and IE 11 were part of that update. Adobe said Edge and IE users will each be automatically updated to the latest versions.