Greg Wiseman, Senior Security Researcher at Rapid7:
Not Microsoft-specific, CVE-2018-8897 is the result of nearly all operating system vendors incorrectly handling debug exceptions coming from Intel architecture chips. Nobody wants to see another cross-platform, chip-related security issue, but CVE-2018-8897 is a nice example of coordinated disclosure. Advisories came out today from Microsoft, Apple, VMware FreeBSD and various Linux distributions, among others. In the case of Windows, this can lead to privilege escalation for a local attacker, allowing them to run arbitrary code in kernel mode. Unlike the Meltdown and Spectre vulnerabilities from earlier this year, this is not related to speculative execution; the fixes for this are software-based and do not require microcode updates.
Two Microsoft vulnerabilities this month are known to be exploited in the wild. CVE-2018-8120 is an elevation of privilege vulnerability affecting Windows 7, Server 2008, and Server 2008 R2. CVE-2018-8174, on the other hand, affects all supported versions of Windows and could lead to arbitrary code execution. As it’s a flaw in Microsoft’s VBScript engine, there are a variety of potential attack vectors. For example, an attacker could convince a user to visit a malicious or compromised web page or entice them to open an Office document containing a maliciously-crafted ActiveX control. Updating vulnerable systems should be high priority, given that attackers are already targeting these.
Two other vulnerabilities were publicly disclosed before this month’s updates became available. CVE-2018-8170 allows privilege escalation on Windows 10 versions 1703 and 1709, and CVE-2018-8141 (information disclosure) only affects Windows 10 version 1709, so exposure to these is relatively limited.
Aside from the usual system-level vulnerabilities being patched, back-end administrators should take note that Exchange Server and SharePoint Server (including Project Server) are getting fixes for a half-dozen vulnerabilities each.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.