![]() ![]() We reported the JScript vulnerability back in January. We’re quite familiar with the one publicly-known CVE for this month as it came through the ZDI program. CVE-2018-8267 – Scripting Engine Memory Corruption Vulnerability Jokes aside, with the proliferation of personal assistants and similar services, bugs in these products will likely become more prevalent in the years to come. ![]() Again, the attacker needs physical or console access to the system, so remote attacks not likely – provided you’re not talking on a speakerphone. This vulnerability is due to the Cortana service retrieving data from input services “without consideration for status.” While that description from Microsoft is a bit oblique, it seems someone close enough to speak to a Cortana-enabled system could execute programs with elevated privileges. Hey, Cortana – pop calc for me! Well, it might not be that simple, but it appears it’s not far off. CVE-2018-8140 – Cortana Elevation of Privilege Vulnerability Either way, this should also be near the top of your test and patch priority list. It’s unclear what those other situations may be, but that puts this bug pretty close to the wormable category as well. The patch notes that, “in most situations, an unauthenticated attacker” could do this. #Adobe patch 2018 codeSince http.sys runs with elevated privileges, the attacker’s code would get that same privilege. A remote attacker could cause code execution by sending a malformed packet to a target server. This time, the web server component http.sys is affected. This patch covers another serious bug in a web-facing service. CVE-2018-8231 – HTTP Protocol Stack Remote Code Execution Vulnerability I have the sense we’ll be hearing about this bug for a while. “Patch Now” doesn’t even seem forceful enough. This means there’s a SYSTEM-level bug in a listening service on critical infrastructure servers, which also means this is wormable. It’s also something that could be easily scripted. The more likely scenario is simply tricking a target DNS server into querying an evil server that sends the corrupted response – something that can be done from the command line. The attacker could attempt to man-in-the-middle a legitimate query. There are a couple of ways this could happen. This vulnerability could allow an attacker to execute code at the local system level if they can get a crafted response to the target server. This bug clearly wins for most critical this month. #Adobe patch 2018 windowsCVE-2018-8225 – Windows DNSAPI Remote Code Execution Vulnerability Let’s take a closer look at some of the more interesting patches for this month: Only one of these bugs is listed as being publicly known at the time of release, and none are listed as under active attack. Five of these CVEs came through the ZDI program. Of these 50 CVEs, 11 are listed as Critical and 39 are rated Important in severity. Microsoft released 50 security patches for June covering Internet Explorer (IE), Edge, ChakraCore, Hyper-V Server, Windows, and Microsoft Office and Office Services. #Adobe patch 2018 updateWe'll update should anything significant be released later. For some, that date can’t get here fast enough.Īs of publication, Adobe has released no other patches for June. Adobe plans on ending support for Flash in 2020. The patch also contained three other CVEs, all of which were reported through the ZDI program. ![]() According to some public reports, the CVE being exploited is primarily targeting the Middle East region and is wrapped in an Office document. Take a break from your regularly scheduled activities and join us as we review the details for security patches for June.Īdobe actually started their monthly patch cycle last week with an emergency patch for Flash to combat active attacks. June is here and with it comes the latest in security offerings from Adobe and Microsoft. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |