Microsoft Patch Tuesday updates for June 18 addresses 11 Critical RCE Flaws
13.6.18 securityaffairs
Vulnerebility

Microsoft issued Patch Tuesday updates for June 18 that address a total of 50 vulnerabilities, 11 of which are critical remote code execution flaws.
Microsoft issued Patch Tuesday updates for June 18 that address a total of 50 flaws, 11 critical remote code execution vulnerabilities and 39 issues rated as important.

The tech giant also issued some mitigations for the recently discovered Spectre/Meltdown Variant 4 vulnerabilities.

The critical issues affect Windows and the company web browsers Edge and Internet Explorer.

None of the patched vulnerabilities have been exploited in attacks in the wild, only one of them, a remote code execution flaw in the scripting engine tracked as CVE-18-8267 has been publicly disclosed before the release of a fix.

The flaw is a remote memory-corruption issue affecting Microsoft Internet Explorer that resides within the IE rendering engine. The flaw is triggered when the engine fails to properly handle the error objects, the attack could exploit the issue to execute arbitrary code in the context of the currently logged-in user.

Microsoft acknowledged the security researcher Dmitri Kaslov for reporting the flaw.

The most critical flaw addressed by the Patch Tuesday updates for June 18 is a remote code execution vulnerability tracked as CVE-18-8225 that resides in Windows Domain Name System (DNS) DNSAPI.dll.

The flaw affects all versions of Windows starting from 7 to 10, as well as Windows Server editions, it ties the way Windows parses DNS responses.

An attacker could exploit the flaw by sending corrupted DNS responses to a targeted system from an attacker-controlled malicious DNS server. Once the attacker has exploited the flaw he will be able to run arbitrary code in the context of the Local System Account.

“This vulnerability could allow an attacker to execute code at the local system level if they can get a crafted response to the target server. There are a couple of ways this could happen.” reads the analysis published by Trend Micro Zero Day Initiative (ZDI).

“The attacker could attempt to man-in-the-middle a legitimate query. The more likely scenario is simply tricking a target DNS server into querying an evil server that sends the corrupted response – something that can be done from the command line. It’s also something that could be easily scripted. This means there’s a SYSTEM-level bug in a listening service on critical infrastructure servers, which also means this is wormable.”

Microsoft Patch Tuesday updates for June 18

Another critical flaw addressed with the Patch Tuesday updates for June 18 is a remote code execution flaw tracked as CVE-18-8231 that resides in the HTTP protocol stack (HTTP.sys) of Windows 10 and Windows Server 2016.

The flaw could allow remote attackers to execute arbitrary code and take control of the affected systems.

This vulnerability originates when HTTP.sys improperly handles objects in memory, allowing attackers to send a specially crafted packet to an affected Windows system to trigger arbitrary code execution.

“This patch covers another serious bug in a web-facing service. This time, the web server component http.sys is affected. A remote attacker could cause code execution by sending a malformed packet to a target server. Since http.sys runs with elevated privileges, the attacker’s code would get that same privilege. ” continues ZDI.

The Patch Tuesday updates for June 18 also addresses a privilege escalation vulnerability affecting the Cortana voice assistant. The flaw, tracked as CVE-18-8140, is a privilege escalation vulnerability rated as “important.”

In this case, the attacker needs physical or console access to the system to trigger the flaw.