Microsoft’s April Patch Tuesday release includes fixes for 66 bugs, 24 of which are rated critical. Notable is Microsoft’s disclosure of a publicly known SharePoint elevation of privilege bug (CVE-2018-1034), classified important, which has no fix but has not been publicly exploited.
Only a vulnerability in SharePoint Enterprise Server 2016 version is impacted, according to Microsoft.
“An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server,” Microsoft said.
“A public disclosure means that a vulnerability was discovered and enough detail about the vulnerability or concept code has been released to give attackers a jump start. It does not mean it has been used in the wild. Public disclosures are an indicator of risk. Enough information is out there to give the attacker an edge in creating an exploit to utilize this vulnerability,” said Chris Goettl, product manager at Ivanti regarding the SharePoint vulnerability.
Notice that April Security Update Guide also covers Internet Explorer, Edge, ChakraCore, Windows, Visual Studio, Microsoft Office and Office Services and Web Apps and Microsoft’s Malware Protection Engine.
Security experts say one of the most important patches rolled out Tuesday was actually identified in March (CVE-2018-1038). That’s when Microsoft released an out-of-band fixfor a Windows vulnerability introduced with the January Patch Tuesday update. If exploited, the bug could allow an authenticated attacker to install programs, access stored data or create new accounts with full user rights on Windows 7 and Server 2008 R2 machines.
“While this vulnerability was identified between March and April Patch Tuesday’s, CVE-2018-1038 should be a top priority for anyone who has Windows 7 for x64-based Systems or Windows Server 2008 R2 for x64-based Systems, and you have installed any of the servicing updates released during or after January 2018, you need to install 4100480 immediately to be protected from this Elevation of Privilege vulnerability,” Goettl said in his commentary on Patch Tuesday.
Another important fix including one for a piece of one of its hardware devices, the Wireless Keyboard 850.
Hardware and keyboard patches are relatively rare, so the security bypass vulnerability Microsoft fixed today in the keyboard stood out among the typical security flaws. Microsoft rated the keyboard vuln (CVE-2018-8117) as “important.”
“Patches for hardware are rare, and patches for keyboards are especially rare, so it was somewhat shocking to see this bug detailed. However, the severity of this bug should not be scoffed at,” the Zero Day Initiative’s (ZDI) Dustin Childs said in an analysis of the vulnerability. “This vulnerability could affect you in two ways. First, an attacker could read your keystrokes – effectively turning your keyboard into a keystroke logger. Everything you type – passwords, account details, emails – could be viewed.”
An attacker could also inject keystrokes to an affected system by reusing the keyboard’s AES encryption key.
Microsoft also patched five critical flaws in the Windows Font Library that each allows remote code execution via Web or file-sharing attacks. Both Graham and Childs consider these patches priorities as well. “Browser [updates] are always important and near the top” as a priority, Childs says.
The Microsoft Graphics Remote Code Execution vuln flaws: CVE-2018-1010, CVE-2018-1012, CVE-2018-1013, CVE-2018-1015, and CVE-2018-1016 could allow an attacker to tuck malicious code into fonts. Malicious fonts can be used in Web browsing and documents and attachments.
“According to Microsoft, these vulnerabilities can be exploited through a Web-based attack, meaning the user only needs to visit a malicious Web page. This could be through a compromised site or malicious ad server,” Qualys’ Graham says. “The other attack vector is file-based, meaning a document could be sent via email or through a fileshare that would run the exploit if opened.”
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.