icetray - Fotolia
August Patch Tuesday closes CPU bug, two zero-day exploits
Administrators have their work cut out for them, with more than 60 vulnerabilities to handle for August Patch Tuesday, after reeling from the effects of a bad batch of July updates.
Microsoft closed two zero-day vulnerabilities and released a fix for a new exploit for Intel processors on August Patch Tuesday.
Microsoft released an advisory (ADV-180018) on the latest speculative execution side-channel vulnerability in Intel Core and Xeon processors, called L1 Terminal Fault. Dubbed Foreshadow by security researchers, the vulnerability lets an attacker read data as it passes between a host and a virtual machine and a hypervisor.
The earlier Spectre and Meltdown variants allowed process-to-process interactions, but this latest hardware exploit allows a guest system to retrieve data from another guest system, said Brian Secrist, content manager at Ivanti, based in South Jordan, Utah.
Full protection from Foreshadow (CVE-2018-3615, CVE-2018-3620 and CVE-2018-3646) on Windows requires a registry change, Microsoft patch and Intel firmware update.
"Once again, we have a bunch of hoops to jump through to get to full remediation," Secrist said, adding "2018 is keeping us real busy."
Microsoft addresses two zero-day exploits
Brian Secristcontent manager, Ivanti
Microsoft also closed a pair of zero-day remote code execution vulnerabilities. The first (CVE-2018-8373) is in the Microsoft Scripting Engine, with known exploits that affect all versions of Internet Explorer. It allows an attacker to run arbitrary code on unpatched machines in the context of users who visit a specially crafted website. Depending on the user's rights, the attacker could install programs or view and delete data. The patch changes how the scripting engine handles objects in memory. This CVE is critical for Windows desktop systems and important for server versions.
Rated important, the second zero-day (CVE-2018-8414) uses a Windows Shell bug in Windows 10 and Windows Server Semi-Annual Channel Server Core for remote code execution attacks. This vulnerability requires the user to run a malicious file either from email or a website, after which an attacker can run code at the privilege level of the current user. The patch makes Windows Shell validate file paths properly.
August Patch Tuesday closes more than 60 vulnerabilities
More than half of the 60 vulnerabilities disclosed in August Patch Tuesday affect browsers or the scripting engine. Administrators should prioritize patching workstations and servers for a critical remote code execution vulnerability (CVE-2018-8345) that triggers when viewed by a user. Microsoft resolved this exploit by correcting the processing of shortcut .LNK references.
"Because the user doesn't have to click on the malicious .LNK file to actually exploit the vulnerability, compared to browser vulnerability, it's more likely for a server admin to be browsing through files. If they see this shortcut and the system renders it, then that's when the exploit runs," said Jimmy Graham, director of product management at Qualys, based in Foster City, Calif.
Almost every major third-party vendor released patches and updates between the July and August Patch Tuesday, Secrist said. Adobe released four updates, including fixes for Adobe Flash and Acrobat. Google Chrome released version 68, and Firefox released updates for Thunderbird.
"We haven't seen any increase in attacks or anything, just an example of better research and better coverage of vulnerabilities," Secrist said.
July Patch Tuesday issues anger IT workers
After the July Patch Tuesday releases, on July 26, Microsoft warned customers of potential SQL Server startup problems on Windows desktop (7 and 8.1) and server (2008 R2 and 2012 R2) versions. The company released several hotfixes and recommended uninstalling the July patches. Such rollbacks of faulty Microsoft updates have become a recurring headache for administrators.
Microsoft's July security updates also caused problems for the .NET Framework. On July 16, Microsoft posted a blog that "encouraged" Exchange customers to delay applying the July 10 updates to avoid disruptions with mail delivery. Hotfixes for affected systems -- all supported versions of Windows Server -- did not arrive until July 17. Up until that point, the only remedy was to uninstall the .NET Framework 4.7.2 update.
"Clearly, there is a quality-assurance issue of some kind," Secrist said. "There's another .NET release this month. Hopefully, they spend more time on this one. We always strongly recommend you run [patches] through a test group and make sure they are stable before you push them out."
Jeff Guillet, CEO of EXPTA Consulting in Pacifica, Calif., reached out to the Exchange product group for more information when the disruptions first occurred and said it was a twofold problem of "really bad patches and bad communication."
"Nobody even acknowledged that there was a problem. And then, all of a sudden, they said, 'Oh, by the way, we fixed this.' [Administrators] had to troubleshoot it themselves, because there was no communication from Microsoft saying this was a problem," Guillet said.
While the intent of Patch Tuesday is to protect systems from vulnerabilities, the recent spate of patching issues concerns some IT administrators.
"Everybody's kind of come to terms with [monthly patching], but the expectation was that a patch isn't going to break stuff," Guillet said. "So, if it's going to start breaking things, now I need to worry about testing it, and I don't have time because the next patches are coming up next Tuesday."