Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: February 2018 Microsoft (and Adobe) Patch Tuesday - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
February 2018 Microsoft (and Adobe) Patch Tuesday

I will update this diary as additional bulletins are released. Microsoft marked adobe's bulletin as "not yet exploited". However, according to Adobe and reports from the Korean Cert, one of the vulnerabilities has already been exploited, so I am marking it differently here, and assign it a "Patch Now" rating. Not much detail has been made public yet about this vulnerability, which is why I am leaving the "Disclosed" rating at "No".

Microsoft lists one more vulnerability, CVE-2018-0771, as already disclosed. I left the raiting at "Important" since this is just a security feature bypass.

The "SPECTRE" advisory (ADV180002) was originally released in January but underwent several updates since then. The latest version released today includes references to new updates released for Windows 10 (32-bit) . It also states that there is no release schedule for older versions of Windows, but that they are working on releasing updates for pre-Windows 10 operating systems.

February 2018 Security Updates

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity
February 2018 Adobe Flash Security Update
ADV180004 No Yes - - PATCH NOW
Guidance to mitigate speculative execution side-channel vulnerabilities (Spectre)
ADV180002 No No Less Likely Less Likely Important
Microsoft Edge Information Disclosure Vulnerability
CVE 2018-0839 No No - - Important
CVE 2018-0763 No No - - Critical
Microsoft Edge Security Feature Bypass Vulnerability
CVE 2018-0771 Yes No - - Moderate
Microsoft Excel Remote Code Execution Vulnerability
CVE 2018-0841 No No - - Important
Microsoft Office Information Disclosure Vulnerability
CVE 2018-0853 No No Less Likely Less Likely Important
Microsoft Office Memory Corruption Vulnerability
CVE 2018-0851 No No More Likely More Likely Important
Microsoft Outlook Elevation of Privilege Vulnerability
CVE 2018-0850 No No Less Likely Less Likely Important
Microsoft Outlook Memory Corruption Vulnerability
CVE 2018-0852 No No Less Likely Less Likely Critical
Microsoft SharePoint Elevation of Privilege Vulnerability
CVE 2018-0869 No No - - Important
CVE 2018-0864 No No Unlikely Unlikely Important
Named Pipe File System Elevation of Privilege Vulnerability
CVE 2018-0823 No No - - Important
Scripting Engine Memory Corruption Vulnerabilities
CVE 2018-0834 No No - - Critical
CVE 2018-0835 No No - - Critical
CVE 2018-0836 No No - - Important
CVE 2018-0837 No No - - Critical
CVE 2018-0838 No No - - Critical
CVE 2018-0840 No No - - Critical
CVE 2018-0856 No No - - Critical
CVE 2018-0857 No No - - Critical
CVE 2018-0858 No No - - Critical
CVE 2018-0859 No No - - Critical
CVE 2018-0860 No No - - Critical
CVE 2018-0861 No No - - Critical
CVE 2018-0866 No No More Likely More Likely Important
StructuredQuery Remote Code Execution Vulnerability
CVE 2018-0825 No No More Likely More Likely Critical
Windows AppContainer Elevation Of Privilege Vulnerability
CVE 2018-0821 No No More Likely More Likely Important
Windows Common Log File System Driver Elevation of Privilege Vulnerabilities
CVE 2018-0844 No No More Likely More Likely Important
CVE 2018-0846 No No More Likely More Likely Important
Windows Denial of Service Vulnerability
CVE 2018-0833 No No - - Moderate
Windows EOT Font Engine Information Disclosure Vulnerabilities
CVE 2018-0855 No No - - Important
CVE 2018-0755 No No Less Likely Less Likely Important
CVE 2018-0760 No No More Likely Less Likely Important
CVE 2018-0761 No No More Likely Less Likely Important
Windows Elevation of Privilege Vulnerability
CVE 2018-0828 No No Less Likely Less Likely Important
Windows Kernel Elevation of Privilege Vulnerabilities
CVE 2018-0831 No No Less Likely Less Likely Important
CVE 2018-0742 No No More Likely More Likely Important
CVE 2018-0756 No No More Likely More Likely Important
CVE 2018-0809 No No More Likely More Likely Important
CVE 2018-0820 No No More Likely More Likely Important
Windows Kernel Information Disclosure Vulnerabilities
CVE 2018-0810 No No - - Important
CVE 2018-0829 No No Less Likely Less Likely Important
CVE 2018-0830 No No Less Likely Less Likely Important
CVE 2018-0832 No No Less Likely Less Likely Important
CVE 2018-0843 No No - - Important
CVE 2018-0757 No No Less Likely Less Likely Important
Windows NTFS Global Reparse Point Elevation of Privilege Vulnerability
CVE 2018-0822 No No More Likely More Likely Important
Windows Remote Code Execution Vulnerability
CVE 2018-0842 No No More Likely More Likely Important
Windows Scripting Engine Memory Corruption Vulnerability
CVE 2018-0847 No No More Likely More Likely Important
Windows Security Feature Bypass Vulnerability
CVE 2018-0827 No No Less Likely Less Likely Important
Windows Storage Services Elevation of Privilege Vulnerability
CVE 2018-0826 No No More Likely More Likely Important

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
STI|Twitter|

Johannes

3161 Posts
ISC Handler
Interesting: when I click on any of the ADV links (to Microsoft) I'm prompted to agree to their Microsoft Developer Services Agreement (https://technet.microsoft.com/en-us/cc300389). I'm not sure how their Developer EULA applies to security advisories.
Anonymous
Posts
Hi,
Do you have any plan to serve back this data using the API on https://isc.sans.edu/api?
Emin

6 Posts Posts
Quoting Emin:Hi,
Do you have any plan to serve back this data using the API on https://isc.sans.edu/api?


Do the API calls from https://isc.sans.edu/api/#getmspatchday give you what you need?
InfoSanity

4 Posts Posts
This is such a great service to the community. It's the first place we check after Patch Tuesday and use it as the basis for prioritizing what we patch. Thanks, Dr. J. Know it's much appreciated.
JeffSoh

31 Posts Posts
Our API only works for the old "Bulletins. I am not planning to bring it back for the newer patches. Microsoft now has its own API that you can use. See portal.msrc.microsoft.com/en-us/ and follow the link to the API. You need to log in using your Microsoft account.
Johannes

3161 Posts Posts
ISC Handler
It could be they are trying to establish legal grounds to go after people that reverse engineer their patches?! :)
dotBATman

63 Posts Posts
+1
And the podcast gives you the “Keep Calm and Carry On” runthrough during your commute.
dotBATman

63 Posts Posts
Microsoft's Github on using PowerShell for the API

https://github.com/Microsoft/MSRC-Microsoft-Security-Updates-API/tree/master/src
Bugbear

7 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!