Microsoft Patch Tuesday – January 2018
Happy new year! While most of the world gets back on its feet from the eggnog induced holiday stupor, the world of cybersecurity spins on. Microsoft has released patches for some particularly interesting and popular vulnerabilities this month, which go by the name of ‘Meltdown’ and ‘Spectre’. Both have been widely circulated in the media, and hopefully this post can clear up any misconceptions surrounding those vulnerabilities while also informing about the rest of the vulnerabilities from this Patch Tuesday.
Windows Kernel received an update for the ‘Meltdown’ vulnerability. This vulnerability allows for an attacker to receive information that could lead to a Kernel Address Space Layout Randomization (KASLR) bypass. An attacker who successfully exploited this vulnerability would be able to map the kernel’s exact memory location, the knowledge of which could eventually lead to an elevation of privilege or complete system compromise. Microsoft rates the two vulnerabilities patched in the Kernel as Important.
Windows SMB Server received an update for a vulnerability that could allow a local attacker to elevate their privileges. An attacker would have to log onto the system and then run a malicious application to take control of the system. The update addresses the vulnerability by correcting how the SMB Server handles these files.
Adobe Type Manager Font Driver
Separate from the Adobe patch this month, there was also a patch for the Adobe Type Manager Font Driver, known as ATMFD.dll on Windows systems. The driver could fail to properly handle objects in memory, which would cause it to disclose potentially sensitive information. This vulnerability could not be used to elevate privileges or execute code directly, but could be used to further compromise an affected system. Microsoft rates this vulnerability as Important.
Windows GDI contained a win32k information disclosure vulnerability that would leak kernel memory addresses. An attacker who successfully exploited the vulnerability could obtain information as to the kernel memory layout, and bypass the Kernel Address Space Layout Randomization similar to the ‘Meltdown’ vulnerability. This information does not allow a user to elevate privileges or execute code directly, but could be leveraged to further compromise an affected system. Microsoft rates this vulnerability as Important.
Microsoft Color Management
The Color Management Module (ICM32.dll) received a fix for an information disclosure vulnerability. When mishandling objects in memory, the module could expose information that could be leveraged to bypass usermode Address Space Layout Randomization. The information could be used to further compromise an affected system, but could not be used directly to elevate privileges or execute code. An attacker attempting to exploit the vulnerability would have to conduct a ‘phishing’ attack by luring the victim to a maliciously crafted website, uploading malicious content to a frequently visited website, or sending a malicious email. Microsoft rates this vulnerability as Important.
Microsoft Edge / Internet Explorer
Microsoft’s web browsers received a fix for the ‘Spectre’ vulnerability this month. Microsoft released a special advisory (ADV180002) to inform customers about speculative execution side-channel vulnerabilities like ‘Spectre.’ The most significant part of these updates is that after applying the patches, there is a performance impact. Depending on the age of your device, the impact may not be noticeable. However, the impact varies by the hardware generation and implementation by the chip manufacturer. These speculative execution side-channel vulnerabilities can be used to read the content of memory across a hardware-level trusted boundary, and can therefore lead to information disclosure. The mitigations and fixes are aimed at preventing attackers from triggering the weakness in the CPU which could allow the contents of memory to be disclosed. Microsoft rates these vulnerabilities as Important.
Adobe Flash Player
Adobe received a fix for an out-of-bounds read vulnerability. The vulnerability occurs due to a computation that reads data that is past the end of a target buffer, potentially granting the attacker information that may be sensitive. Microsoft rates this vulnerability as Important.
Office received a multitude of fixes for various products. In total, there were 17 separate vulnerabilities addressed, the worst of which is rated Critical by Microsoft. An attacker exploiting these vulnerabilities would be able to remotely execute code by luring a victim to view malicious content via traditional web-attack and email vectors. Other vulnerabilities fixed in Office can lead to memory corruption, and a vulnerability in Sharepoint could allow for the elevation of privilege from a local attacker.
Microsoft’s .NET Framework underwent fixes for four vulnerabilities. These vulnerabilities allow for a Denial of Service attack, Elevation of Privilege, Cross Site Request Forgery, and Security Feature Bypass. The Denial of Service results when XML documents are maliciously crafted, resulting in an application crash. The ASP.NET core project templates could be abused by a local attacker to elevate their privileges. The ASP.NET core also allows attackers to conduct Cross Site Request Forgery, leading victims to malicious websites. The .NET core framework also mishandled certificate validation in specific cases, which could lead to an invalid certificate being marked valid.