Microsoft has fixed 11 critical bugs in its June Patch Tuesday update, including a Windows DNS-related remote code execution flaw. It also patched an easily exploitable problem in the Cortana voice engine.
One of the most serious issues is a critical remote code execution vulnerability (CVE-2018-8225) in the Windows Domain Name System (DNS), which could allow an attacker to take full control of the targeted machine. This can be carried out by sending a maliciously crafted DNS packet to the victim endpoint from a DNS server, or using spoofed DNS responses from an attack box, according to Microsoft’s June Patch Tuesday security bulletin.
“The attacker could attempt to man-in-the-middle a legitimate query,” explained Dustin Childs, researcher at the Zero Day Initiative, in its Patch Tuesday analysis posted on Tuesday. “The more likely scenario is simply tricking a target DNS server into querying an evil server that sends the corrupted response – something that can be done from the command line. It’s also something that could be easily scripted. This means there’s a system-level bug in a listening service on critical infrastructure servers, which also means this is wormable.”
He added, “‘patch now’ doesn’t even seem forceful enough. I have the sense we’ll be hearing about this bug for a while.”
A privilege-escalation vulnerability rated important in Cortana (CVE-2018-8140) meanwhile is due to the voice engine’s service retrieving data from input services “without consideration for status,” according to Microsoft. It was first discussed in March at a researcher conference.
“While that description from Microsoft is a bit oblique, it seems someone close enough to speak to a Cortana-enabled system could execute programs with elevated privileges,” said Childs. “Again, the attacker needs physical or console access to the system, so remote attacks not likely – provided you’re not talking on a speakerphone. Jokes aside, with the proliferation of personal assistants and similar services, bugs in these products will likely become more prevalent in the years to come.”
Researchers put a finer point on it with a few proof-of-concepts for the Cortana flaw, demonstrating a range of attack vectors for accessing confidential information. For instance, after bypassing the locked screen using a simple voice command, McAfee found that it was possible to easily search for confidential information and files using Cortana to search for keywords such as “OneDrive”; and, the researchers were able to execute arbitrary code from the lock screen using Cortana’s contextual menu. In a demo, they were able to carry out a full password reset and then log in on a Windows 10 build.
“This particular vulnerability is not highly critical, but it is interesting as it targets a growing and popular class of technology: intelligent digital personal assistants,” Lane Thames, senior security researcher at Tripwire, told Threatpost. “We’ve already seen weaknesses recently in Alexa due to third-party application issues. More of these types of problems will start to appear, most likely, in the years to come.”
In total, Microsoft’s June Patch Tuesday roundup included 50 security patches, with 11 listed as critical and 39 rated important. An out-of-band fix meanwhile was released for Adobe Flash Player last week.
There’s also a critical HTTP Protocol Stack remote code execution vulnerability (CVE-2018-8231) affecting the web server component http.sys, which confers elevated privileges to a remote attacker. The attacker can cause code execution by sending a malformed packet to a target server.
“The patch notes that, ‘in most situations, an unauthenticated attacker’ could do this,” ZDI’s Childs said. “It’s unclear what those other situations may be, but that puts this bug pretty close to the wormable category as well. Either way, this should also be near the top of your test and patch priority list.”
Other vulnerabilities being addressed include a remote code execution flaw in Excel (CVE-2018-8248); two privilege-escalation vulnerabilities in SharePoint Server and one in Office Web Apps Server; and seven separate Device Guard vulnerabilities in Windows 10 Enterprise and Server 2016 which allowed code integrity policies to be bypassed.
“June’s Patch Tuesday is rather run-of-the-mill, with a total of 50 vulnerabilities being addressed by Microsoft,” said Greg Wiseman, senior security researcher at Rapid7, in an email. “None of the Microsoft vulnerabilities patched today have been seen in the wild, although CVE-2018-8267 (an RCE vulnerability in Internet Explorer) had been publicly disclosed before today’s release and is likely to be exploited soon if it hasn’t already been.”