Experts uniformly pointed to the Windows DNS patch (CVE-2018-8225) as the most interesting fix of the month and the one that should take priority for most enterprises. Microsoft described the Windows DNS patch as addressing a remote code execution (RCE) vulnerability that affects Windows desktop versions 7 through 10 and Windows Server 2008 and newer.
Microsoft wrote in the advisory for the Windows DNS patch that if an attacker used a malicious DNS server to send corrupted DNS responses to the target, the exploit could allow for running arbitrary code in the context of the local user permissions.
Craig Young, security researcher for Tripwire’s Vulnerability and Exposure Research Team, said the full impact of the Windows DNS vulnerability “is not entirely clear.”
“Microsoft describes it as a problem processing DNS responses. Normally, I would expect that to mean that the attacker must be in a position to respond to DNS requests from a victim. This would mean that the victim is either making a DNS request to a server the attacker controls or that the attacker has a privileged network position allowing them to spoof responses from a legitimate server,” Young wrote via email. “In this case, however, Microsoft’s CVSS v3 score indicates that there is no user interaction required to trigger the vulnerability. It could be that Microsoft did not score the vulnerability properly, but it could also mean that there are circumstances where a vulnerable system will process unsolicited responses.”
Jimmy Graham, director of product management at Qualys Inc., based in Redwood City, Calif., added in a blog post that “mobile workstations that may connect to untrusted Wi-Fi are at high risk” and the Windows DNS patch should be a priority for those users.
Spectre v4 gets OS fixes
According to Microsoft’s updated advisory, Windows now supports Speculative Store Bypass Disable (SSBD) in Intel processors, but this in itself will not protect against Spectre v4 and will require microcode patches from Intel to fully remediate.
Microsoft couldn’t provide a timetable for when those microcode updates would be available, but it did warn users that “in testing Microsoft has seen some performance impact when SSBD is turned on. However, the actual performance impact will depend on multiple factors, such as the specific chipset in your physical host and the workloads that are running.”
Another flaw to watch
The final critical flaw for enterprises to prioritize was CVE-2018-8267, a scripting engine memory corruption vulnerability in Internet Explorer. This patch should take priority because although there have not been any attacks seen in the wild, this flaw was publicly disclosed.
According to Microsoft, this RCE vulnerability could allow an attacker to run code in the context of the current user either by luring a target to a malicious website or by embedding a malicious ActiveX control in a Microsoft Office document.
Based Blockchain Network