Microsoft Fixes 17 Critical Bugs in July Patch Tuesday Release
July 12, 2018
Seid Yassin (557 articles)

Microsoft Fixes 17 Critical Bugs in July Patch Tuesday Release

Microsoft patches 17 critical bugs and 34 important bugs as part of its monthly security bulletin.

Browser vulnerabilities took center stage in Microsoft’s July Patch Tuesday security bulletin. In all, Microsoft patched 17 bugs rated critical, with ten tied to scripting engine flaws impacting Internet Explorer. In total, Microsoft is reporting 53 bugs: 17 critical, 34 rated important, one moderate and one low.

The most severe of the browser bugs reported are four Chakra scripting engine memory corruption vulnerabilities (CVE-2018-8280, CVE-2018-8286, CVE-2018-8290, CVE-2018-8294). Each are remote code execution vulnerabilities tied to the JScript engine (Chakra), developed by Microsoft for its 32-bit version of the Internet Explorer.

“The 16 CVEs covering browsers should be prioritized for workstation type devices, meaning any system where users are commonly accessing the public internet through a browser or checking email. This includes multi-user servers that are used as remote desktops for users,” wrote Jimmy Graham, director of product management at Qualys.

Five bugs are tied to Microsoft Edge. One is a spoofing vulnerability (CVE-2018-8278) that exists when Microsoft Edge improperly handles specific HTML content, which could trick users into believing that they were visiting a legitimate website. “The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services,” wrote Microsoft.

Another bug (CVE-2018-8304) is a Windows DNSAPI denial of service vulnerability. DNSAPI is a dynamic-link library file in Windows. In this context it contains functions used by a system’s domain name system (DNS) in a client’s application program interface.

“While not a severe as last month’s wormable CVE-2018-8225, this bug could allow remote attackers to shut down a DNS server through merely a malformed DNS response. Again, that’s better than code execution, but it’s never good when an adversary can remotely shut down a part of your critical infrastructure,” commented ZDI researchers in their Patch Tuesday analysis.

Microsoft’s Office was also patched to prevent emails from containing untrusted TrueType fonts that could be used to compromise a targeted system.

The Office tampering vulnerability (CVE-2018-8310) “exists when Microsoft Outlook does not properly handle specific attachment types when rendering HTML emails. An attacker could exploit the vulnerability by sending a specially crafted email and attachment to a victim, or by hosting a malicious .eml file on a web server,” Microsoft wrote. EML files are a file format developed by Microsoft to archive emails while at the same time preserving the original HTML formatting and header.

source | threatpost