Newly Found Vulnerabilties Start to Disadvantage Microsoft Software
The researchers found out that Microsoft’s Edge and Internet Explorer browsers, as well as its Office, Exchange, and Outlook software to the vulnerable software. The ‘use after free’ vulnerability is one of the most critical flaws in the Windows VBScript engine. It can be used in forcing Internet Explorer loading and executing a code.
Microsoft and Adobe require immediate repairs because of the newly found vulnerabilities in their codes. The May security bulletin of Microsoft consists fixes for the following:
- 67 specific flaws in their software
- 21 out of the 67 specific flaws are rated critical and these can be remotely exploited
- 42 are rated as important
- four are of low severity
The researchers first identified the flaw, selected CVE-2018-8174, at the Moscow-based Kaspersky Lab. It was, then, reported to Microsoft that the flaw exists in Windows 7, Windows RT, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012 and Windows Server 2016. The Kaspersky Lab researchers wrote in a blog post “this exploit was found in the wild and was used by an APT actor.”
As defined by Estonia’s foreign international service, APT – short for advanced persistent threat – refers to “carefully targeted, long-term cyber operations in the course of which attackers combine multiple techniques to obtain the needed information about the target.”
Estonia’s foreign international service defined Advanced Persistent Threat (APT) as a “carefully targeted, long-term cyber operations in the course of which attackers combine multiple techniques to obtain the needed information about the target.”
On April 18, the Kaspersky Lab researchers discovered the flaw after the company’s sandbox system automatically examined an exploit that someone uploaded to malware-scanning service called VirusTotal.
Patch the Flaw Right Now
Individuals and businesses must patch the flaw immediately – security experts say. In a Tuesday security advisory, Microsoft warned that the flaw could also be exploited using a malicious or a compromised website.
Microsoft warns people that in a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website.
Using malicious advertisements (a.k.a. malvertising), the attack exploit could also be targeted. Microsoft made a statement that the attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. They also added that these websites could contain specially crafted content that could exploit the vulnerability.
The Karspersky Lab and Qihoo 360 Core Security alerted Microsoft regarding the flaw found in their software.
Beginning to Fix the Flaws
Gill Langston, director of product management at Qualys, wrote in a blog post that Microsoft suggest to start fixing CVE-2018-8174. Then, you can focus on all browser updates, and then turn your attention to Hyper-V.
Though at first, an updated version of Windows is needed by a lot of organizations to make sure they’re still getting the latest, additional security updates.
Last month, Microsoft had the “Anniversary Update” where it doesn’t support Windows 10 version 1607 anymore. For six months, business users can keep receiving security-only updates. They also have an option to purchase for expensive extended-support contracts.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.