Windows: CVE-2018-8423; CVE-2018-8453, CVE-2018-8495

[German]In October 2018, Microsoft patched some vulnerabilities in Windows with updates. The vulnerability CVE-2018-8495 is now being actively exploited. For the (probably incompletely patched) vulnerability CVE-2018-8495 a Proof-of-Concept (PoC) is now available. And the vulnerability CVE-2018-8423 was probably patched. Here is some information.

Exploit CVE-2018-8453 used in the wild

On 9.10.2018 Microsoft released a security update for the Win32k Elevation of Privilege vulnerability CVE-2018-8453 for all still supported Windows versions. The individual updates for the various Windows versions are available on this Microsoft page. 

It is recommended to patch your systems as soon as possible. Microsoft writes that there is no known attack on this vulnerability (0 – Exploitation Detected). But anti-virus provider Kaspersky claims the opposite in the following tweet. 

. @Microsoft published their security bulletin, which patches CVE-2018-8453, among others. It is a #vulnerability in #win32k.sys discovered by us and reported to them on August 17. @Microsoft confirmed the vulnerability and designated it CVE-2018-8453 https://t.co/Oh5yotBJsO

— Kaspersky Lab (@kaspersky) 12. Oktober 2018

Within this article Kaspersky security researchers write that a limited number of attacks have been detected in the Middle East that exploit this vulnerability. Details can be found in the linked article.

CVE-2018-8423: Windows Shell Remote Code Execution

Vulnerability CVE-2018-8423 describes a Windows Shell Remote Code Execution vulnerability that Microsoft classifies as 'important'. The vulnerability exists, if remote code is executed when the Windows shell improperly handles URIs. An attacker who successfully exploited the vulnerability could obtain the same user privileges as the current user.

Microsoft also writes: "An attacker could host a specially crafted website designed to exploit the vulnerability in Microsoft Edge. But the attacker must then convince a user to visit the site. The attack requires a specific user interaction to execute the remote code.

Proof of Concept for CVE-2018-8423

In this article, a security researcher describes some scenarios as proof of concept how this vulnerability could be exploited. Especially in environments where many users cannot resist the temptations of the Web, administrators should take care of eliminating this vulnerability. 

CVE-2018-8423 incompletely patched

I was alerted Friday by the vendor 0patch that the Microsoft fix for the CVE-2018-8423 vulnerability was incomplete. The 0patch people are writing:

This week [Microsoft on] Windows Updates brought a solution to the "0day" vulnerability in the Jet Database Engine (CVE-2018-8423) that we previously micropatched.  

Our analysis has shown that this official solution is flawed. We have informed Microsoft and released another micropatch to fix the official patch.

In other words, customers of 0patch who were actually protected from the CVE-2018-8423 vulnerability by their micropatch will find themselves in a stupid situation after the October 2018 patchday. Installing the Microsoft update will disable the 0patch micropatch and the vulnerability could be exploited again.

As you write this blog post, fully updated 32-bit and 64-bit Windows 10, Windows 8.1, Windows 7, Windows Server 2008, and Windows Server 2012 systems are vulnerable. The developers of 0patch suspect that the vulnerability is unfixed in all versions of Windows that use version 4.0.9801.0 of msrd3x40.dll.

0patch has therefore developed another micropatch for its customers for version 4.0.9801.0 of msrd3x40.dll, which closes the vulnerability that Microsoft has incompletely closed. The details can be found in this blog post.

CVE-2018-8495 patched

On October 10, 2018, Microsoft released a security update for the supported versions of Windows for the Microsoft JET Database Engine Remote Code Execution vulnerability CVE-2018-8495. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs, view, modify, or delete data, or create new accounts with full user privileges. Users whose accounts are configured to have fewer user privileges on the system could be less affected than users who work with administrative user privileges.

To exploit the vulnerability, a user must open/import a specially crafted Microsoft JET Database Engine file. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user and then convincing them to open the file. Microsoft classifies the exploitation of this vulnerability as 'Exploitation Less Likely'.  This vulnerability has been know since September 2018. The developers of 0patch had created a micro patch for their customers. 

Note to 0patch users: Today's Windows updates bring an official fix for the Jet Database issue (CVE-2018-8423). The DLL we micropatched gets replaced, so our micropatch automatically stops getting applied. You don't have to do anything else. https://t.co/x9nRSaSn4G

— 0patch (@0patch) 9. Oktober 2018

In the tweet above, 0patch now informs its users that the 0patch solution is automatically deactivated when the Microsoft update is installed.