It's March 2018, and your Windows PC can be pwned by a web article (well, none of OURS)

Plus plenty of other Microsoft and Adobe bugs to fix


Patch Tuesday Microsoft delivered another hefty bundle of patches with its scheduled monthly update.

Redmond bulks up for Vancouver

The March edition of Patch Tuesday lands just hours before researchers are expected to flaunt their latest and greatest exploits at the CanSecWest Pwn2Own hacking competition in Vancouver.

Hopefully nobody was planning to use any of the 75 CVE-listed vulnerabilities Microsoft addressed today, including several for the Edge and Internet Explorer browsers that would allow remote code execution.

The fixed bugs include nine remote code execution (RCE) flaws in the Chakra scripting engine in Edge. Microsoft says the scripting bugs (such as CVE-2018-0874) would allow an infected webpage to run code with the logged-in user's clearance level.

The Edge scripting engine was also the subject of four memory corruption RCE flaws, as well as an information disclosure bug, CVE-2018-0839, that allows an attack page to view objects in memory.

Just two of the 75 Microsoft bugs squashed this month have been publicly disclosed. They include an elevation of privilege bug in Exchange (CVE-2018-0940) exploited via email. Dustin Childs of the Zero Day Initiative said that the bug is perfectly set up to facilitate a spear phishing attack.

"An attacker could use this vulnerability to replace a legitimate Outlook Web Access interface with a fake login page," Childs explained.

"Once at the page, the user would be enticed to enter their real credentials."

Also publically disclosed was a denial of service bug in ASP.NET (CVE-2018-0808) that would allow an attacker to take down a vulnerable web application remotely without authentication.

Childs said another interesting bug in this month's bundle is CVE-2018-0868, an elevation of privilege bug in Windows Installer that allows an app to install unchecked libraries.

"At first glance, this doesn’t seem very crucial since an attacker would need the ability to run programs on a target system to exploit this vulnerability," Childs said.

"However, this type of bug is often used by malware authors to “piggyback” their malicious code on top of innocuous code. It’s always easier to convince someone to install ‘GreatNewGame.exe’ instead of ‘EvilMalware.exe.’"

Elsewhere, Windows Kernel was found to contain 13 different CVE-listed flaws (such as CVE-2018-0811) that allow applications to view objects in memory, while 13 other entries were devoted to elevation of privilege bugs in SharePoint (like CVE-2018-0947) that are caused by SharePoint Server failing to properly verify tenant permissions.

Office was the subject of three CVE entries; a security feature bypass in Excel (CVE-2018-0907), an information disclosure bug from documents viewing out of bounds memory (CVE-2018-0919), and a remote code execution flaw (CVE-2018-0922) via a memory corruption error.

Quiet month for Adobe

By comparison, it was a slow month for Flash exploits. Adobe says the March fix for Flash Player only addresses two remote code execution flaws (CVE-2018-4919, CVE-2018-4920).

Adobe has also posted a fix for a pair of cross-site scripting bugs in Connect (CVE-2018-4921, CVE-2018-4923) exploited via SWF files, and a remote code execution flaw in Dreamweaver (CVE-2018-4924) for Windows exploited via command injection. ®


Keep Reading

Tech Resources

Apps are Essential, so your WAF must be effective

You can’t run a business today without applications—and because apps are critical to strategic business imperatives and commerce, they have become the prime target for attackers.

Webcast Slide Deck | How backup modernization changes the ransomware game

If the thrill of backing up your data and wondering if you will ever see it again has worn off, start the new year by getting rid of the lingering pain of legacy backup. Bipul Sinha, CEO of the Cloud Data Management Company, Rubrik, and Miguel Zatarain, Director of Global Infrastructure Technology at PACCAR, Fortune 500 manufacturer of trucks and Rubrik customer, are talking to the Reg’s Tim Phillips about how to eliminate the costly, slow and spotty performance of legacy backup, and how to modernize your implementation in 2021 to make your business more resilient.

Three reasons you need a hybrid multicloud

Businesses need their IT teams to operate applications and data in a hybrid environment spanning on-premises private and public clouds. But this poses many challenges, such as managing complex networking, re-architecting applications for the cloud, and managing multiple infrastructure silos. There is a pressing need for a single platform that addresses these challenges - a hybrid multicloud built for the digital innovation era. Just this Regcast to find out: Why hybrid multicloud is the ideal path to accelerate cloud migration.

Top 20 Private Cloud Questions Answered

Download this asset for straight answers to your top private cloud questions.

Biting the hand that feeds IT © 1998–2021