Patch Tuesday

Microsoft's monthly Patch Tuesday security updates are out, and for August 2018, the Redmond-based OS maker has fixed 60 security flaws, including two zero-days under active attacks.

The two zero-days are CVE-2018-8414 and CVE-2018-8373.

The SettingContent-ms debacle

Microsoft describes CVE-2018-8414 as a vulnerability in the Windows Shell, but in reality, this refers to the use of SettingContent-ms files —aka Windows 10 control panel shortcuts— for malware distribution.

Bleeping Computer previously reported on this topic in June when a SpecterOps researcher showed how hackers could abuse these types of files to eecute malicious code on users' PCs.

We also reported when malware authors started experimenting with this technique a month later in early July, and again in mid-July when Microsoft intervened and blocked the embedding of SettingContent-ms files inside Outlook and Office 365 documents.

With today's updates, Microsoft has taken Windows 10 defenses a step further by ensuring that the Windows Shell properly validates file paths when executing SettingContent-ms files, preventing the original trick detailed by the SpecterOps researcher from working.

The IE zero-day

The second zero-day fixed this month is CVE-2018-8373, which Microsoft describes as "a remote code execution vulnerability [that] exists in the way that the scripting engine handles objects in memory in Internet Explorer."

Exploiting this flaw allows an attacker to run malicious code with the user's privilege. If the user is using an admin account, as most users tend to do on Windows, then the malicious code can wreak some serious havoc.

The zero-day can be exploited via web-based attacks if a user is accessing a malicious website via Internet Explorer, but also via email spam if a user opens documents in applications that embed the IE rendering engine.

Microsoft said details about this vulnerability became public and the company also recorded attacks using this flaw before today's updates. Bleeping Computer was unable to find any details about past campaigns. Microsoft credited security researcher Elliot Cao for discovering CVE-2018-8373.

Security advisories

On top of this, the Microsoft August 2018 Patch Tuesday also includes three security advisories that include patches for non-Windows security issues that the OS maker deemed critical enough to embed within its regular OS updates.

The first is ADV180018, which is a security advisory containing updates for the L1TF/Foreshadow vulnerability that affects Intel CPUs. More detailed info on this is available in a separate Bleeping Computer article.

The second is ADV180020. This security advisory includes this month's Adobe Flash Player fixes, detailed in a separate Bleeping Computer article here.

The third is ADV180021, also known as the "Microsoft Office Defense in Depth Update," which, obviously, contains security updates for Microsoft Office vulnerabilities.

Below is a table listing of all the security issues Microsoft fixed this month. We used PowerShell and the Microsoft API to assemble the table below, but the report is much longer. We hosted the full report on GitHub, here.

If you're not interested in all security updates and you'd like to filter updates per product, you can use Microsoft's official Security Update Guide, available here.

Tag CVE ID CVE Title
Microsoft Windows ADV180018 Microsoft Guidance to mitigate L1TF variant
Adobe Flash Player ADV180020 August 2018 Adobe Flash Security Update
Microsoft Office ADV180021 Microsoft Office Defense in Depth Update
.NET Framework CVE-2018-8360 .NET Framework Information Disclosure Vulnerability
Device Guard CVE-2018-8200 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
Device Guard CVE-2018-8204 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
Internet Explorer CVE-2018-8316 Internet Explorer Remote Code Execution Vulnerability
Microsoft Browsers CVE-2018-8351 Microsoft Browser Information Disclosure Vulnerability
Microsoft Browsers CVE-2018-8403 Microsoft Browser Memory Corruption Vulnerability
Microsoft Browsers CVE-2018-8357 Microsoft Browser Elevation of Privilege Vulnerability
Microsoft Edge CVE-2018-8388 Microsoft Edge Spoofing Vulnerability
Microsoft Edge CVE-2018-8377 Microsoft Edge Memory Corruption Vulnerability
Microsoft Edge CVE-2018-8383 Microsoft Edge Spoofing Vulnerability
Microsoft Edge CVE-2018-8387 Microsoft Edge Memory Corruption Vulnerability
Microsoft Edge CVE-2018-8370 Microsoft Edge Information Disclosure Vulnerability
Microsoft Edge CVE-2018-8358 Microsoft Edge Security Feature Bypass Vulnerability
Microsoft Exchange Server CVE-2018-8374 Microsoft Exchange Server Tampering Vulnerability
Microsoft Exchange Server CVE-2018-8302 Microsoft Exchange Memory Corruption Vulnerability
Microsoft Graphics Component CVE-2018-8397 GDI+ Remote Code Execution Vulnerability
Microsoft Graphics Component CVE-2018-8400 DirectX Graphics Kernel Elevation of Privilege Vulnerability
Microsoft Graphics Component CVE-2018-8398 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2018-8406 DirectX Graphics Kernel Elevation of Privilege Vulnerability
Microsoft Graphics Component CVE-2018-8405 DirectX Graphics Kernel Elevation of Privilege Vulnerability
Microsoft Graphics Component CVE-2018-8401 DirectX Graphics Kernel Elevation of Privilege Vulnerability
Microsoft Graphics Component CVE-2018-8344 Microsoft Graphics Remote Code Execution Vulnerability
Microsoft Graphics Component CVE-2018-8396 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2018-8394 Windows GDI Information Disclosure Vulnerability
Microsoft Office CVE-2018-8375 Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office CVE-2018-8376 Microsoft PowerPoint Remote Code Execution Vulnerability
Microsoft Office CVE-2018-8379 Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office CVE-2018-8378 Microsoft Office Information Disclosure Vulnerability
Microsoft Office CVE-2018-8382 Microsoft Excel Information Disclosure Vulnerability
Microsoft Office CVE-2018-8412 Microsoft (MAU) Office Elevation of Privilege Vulnerability
Microsoft Scripting Engine CVE-2018-8389 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-8385 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-8355 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-8371 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-8372 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-8353 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-8373 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-8380 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-8390 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-8381 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-8266 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-8359 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2018-8384 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Windows CVE-2018-8346 LNK Remote Code Execution Vulnerability
Microsoft Windows CVE-2018-8345 LNK Remote Code Execution Vulnerability
Microsoft Windows PDF CVE-2018-8350 Windows PDF Remote Code Execution Vulnerability
SQL Server CVE-2018-8273 Microsoft SQL Server Remote Code Execution Vulnerability
Windows Authentication Methods CVE-2018-8340 AD FS Security Feature Bypass Vulnerability
Windows COM CVE-2018-8349 Microsoft COM for Windows Remote Code Execution Vulnerability
Windows Diagnostic Hub CVE-2018-0952 Diagnostic Hub Standard Collector Elevation Of Privilege Vulnerability
Windows Installer CVE-2018-8339 Windows Installer Elevation of Privilege Vulnerability
Windows Kernel CVE-2018-8341 Windows Kernel Information Disclosure Vulnerability
Windows Kernel CVE-2018-8404 Win32k Elevation of Privilege Vulnerability
Windows Kernel CVE-2018-8347 Windows Kernel Elevation of Privilege Vulnerability
Windows Kernel CVE-2018-8348 Windows Kernel Information Disclosure Vulnerability
Windows Kernel CVE-2018-8399 Win32k Elevation of Privilege Vulnerability
Windows NDIS CVE-2018-8343 Windows NDIS Elevation of Privilege Vulnerability
Windows RNDIS CVE-2018-8342 Windows NDIS Elevation of Privilege Vulnerability
Windows Shell CVE-2018-8414 Windows Shell Remote Code Execution Vulnerability
Windows Shell CVE-2018-8253 Microsoft Cortana Elevation of Privilege Vulnerability

Related Articles:

Microsoft September 2018 Patch Tuesday Fixes 16 Critical Vulnerabilities

Exploit Published for Unpatched Flaw in Windows Task Scheduler

Microsoft Releases Windows 10 Cumulative Updates KB4343909 and KB4343897

Windows Systems Vulnerable to FragmentSmack, 90s-Like DoS Bug

Temporary Patch Available for Recent Windows Task Scheduler ALPC Zero-Day