Microsoft Patches 11 Critical RCE Flaws in Windows, Browsers
13.6.18 securityweek Vulnerebility
Microsoft’s Patch Tuesday updates for June 18 address a total of 50 vulnerabilities, including nearly a dozen critical remote code execution flaws affecting Windows and the company’s Edge and Internet Explorer web browsers.
None of the security holes patched this month appear to have been exploited for malicious purposes, but one of them has been publicly disclosed before the release of a fix. The disclosed vulnerability is a use-after-free issue that allows an attacker to execute arbitrary code if they can convince the targeted user to open a malicious web page or file. The weakness was reported to Microsoft through Trend Micro’s Zero Day Initiative (ZDI), which made some details public after its 120-day deadline expired.
The list of critical vulnerabilities also includes CVE-18-8225, which impacts the Windows DNS component DNSAPI.dll. An attacker can leverage this flaw to execute arbitrary code in the context of the Local System Account by using a malicious DNS server to send specially crafted DNS responses to the targeted system.
Another critical RCE flaw, which Microsoft believes could be exploited in the wild at some point, is CVE-18-8251 and it impacts the Windows Media Foundation component. An attacker can exploit this flaw to take complete control of a system by getting the targeted user to open a malicious web page or document.
A security hole affecting the HTTP Protocol Stack (Http.sys) allows remote code execution by sending a specially crafted packet to the targeted server. While the flaw can be exploited without authentication and is considered critical, Microsoft believes exploitation is “less likely.”
The latest security updates also resolve a privilege escalation vulnerability affecting the Cortana voice assistant. The flaw, related to an issue disclosed earlier this year by researchers Amichai Shulman and Tal Be’ery, has been classified as “important” as exploitation requires physical or console access and the targeted system needs to have Cortana enabled.
Microsoft also released some mitigations for the recently disclosed Variant 4 of the Spectre/Meltdown vulnerabilities.
Adobe has yet to release any Patch Tuesday updates, but the company did resolve a Flash Player zero-day vulnerability earlier this month. The researchers who came across the exploit revealed that the flaw had been leveraged in attacks aimed at entities in the Middle East.