This year’s first Patch Tuesday is a busy one. Microsoft released 56 updates that include patches for the Meltdown and Spectre vulnerabilities. The patches also addressed security issues in Windows OS, Internet Explorer, Edge, Office, ChakraCore, ASP.NET, and .NET Framework. Sixteen were rated critical and 38 important, 20 of which can result in remote code execution (RCE).
Three of these were disclosed through Trend Micro’s Zero-Day Initiative:
- CVE-2018-0796 — an RCE vulnerability in Microsoft Excel
- CVE-2018-0758 — a memory corruption vulnerability in the scripting engine in Microsoft Edge
- CVE-2018-0772 — a memory corruption vulnerability in Microsoft browser-related services (Internet Explorer, ChakraCore, Edge)
Note that Microsoft implemented a new process for delivering patches. A registry key that verifies the compatibility of the antivirus (AV) software with the OS/system is now required in order to deploy and apply patches. Trend Micro customers can find additional product-specific information and solutions — such as adding specific registry key — via these technical support articles for Home and Home Office users and Businesses.
Meltdown and Spectre
On January 3, Microsoft released an emergency update for Windows 10 as well as recommendations and best practices for clients and servers. This month’s Patch Tuesday included updates for other operating systems, but Microsoft held off on rolling out patches for devices running on AMD processors, citing reports that they became unbootable (blue screen of death) after the updates were installed. Microsoft is currently working with AMD to resolve this issue. The fixes’ impact on PC and server performance varies; it also depends on the system’s workload.
Apple also released its patches for Spectre (CVE-2017-5753 and CVE-2017-5715) in macOS High Sierra, iOS, and Safari. Apple addressed Meltdown (CVE-2017-5754) last January 5. Meltdown and Spectre are ecumenical; the U.S. Computer Emergency Readiness Team (US-CERT) has a list of affected vendors and references on their advisories, such as Google (e.g., Android) and Linux Kernel’s.
Other Notable Vulnerabilities
Of note is CVE-2018-0802, a memory corruption vulnerability in Microsoft Office reportedly under attack. Exploiting it entails luring a would-be victim with a specially crafted malicious document. The attack chain resembles that of a similar vulnerability (CVE-2017-11882) that was actively exploited by various hacking groups in mid-December last year. The security update addresses CVE-2018-0802 by removing the Equation Editor functionality.
CVE-2018-0786 is a vulnerability in .NET Framework and .NET Core related to certificate validation. As per Microsoft’s advisory, an attacker can exploit this flaw by sending a specially crafted certificate marked as invalid to a vulnerable, targeted system, but whose components are used for a specific purpose. It bypasses Enhanced Usage Key tagging/application policies, which, in turn, can allow hackers to carry out further attacks.
Meanwhile Adobe released an update (APSB18-01) addressing an out-of-bounds read vulnerability (CVE-2018-4871) in Adobe Flash that can lead to information exposure when successfully exploited. This was disclosed via Trend Micro’s Zero Day Initiative.
Trend Micro detects the proof-of-concept exploits targeting Spectre (CVE-2017-5753) as TROJ64_CVE20175753.POC. Trend Micro™ Deep Security and Vulnerability Protection protect user systems from any threats that may target the aforementioned vulnerabilities via the following DPI rules:
- 1008828 – Speculative Execution Information Disclosure Vulnerabilities (Spectre)
- 1008830 – Adobe Flash Player Memory Corruption Vulnerability (APSB18-01)
- 1008831 – Microsoft Word Memory Corruption Vulnerability (CVE-2018-0797)
- 30160: HTTP: Microsoft Edge Scripting Engine Memory Corruption Vulnerability
- 30162: HTTP: Microsoft Edge Fill Memory Corruption Vulnerability
- 30163: HTTP: Microsoft Word RTF Memory Corruption Vulnerability
- 30164: HTTP: Microsoft Edge Print Type Confusion Vulnerability
- 30167: HTTP: Microsoft Internet Explorer Array Prototype Type Confusion Vulnerability
- 30168: HTTP: Microsoft Edge Array Memory Corruption Vulnerability
- 30169: HTTP: Microsoft Edge JIT Use-After-Free Vulnerability
- 30185: HTTP: Microsoft Edge Function Type Confusion Vulnerability
- 30186: HTTP: Microsoft Edge Eval Type Confusion Vulnerability
- 30201: HTTP: Adobe Flash ETC2 Texture Data Information Disclosure Vulnerability