Blog

August 2018 Patch Tuesday Briefing

Update 2018-08-15: CVE-2018-8414 (Windows Shell Remote Code Execution Vulnerability) and CVE-2018-8373 (Internet Explorer Scripting Engine Memory Corruption Vulnerability) are reported to be under active use in the wild. We will continue to monitor the situation and ensure Kenna’s reference data reflects the latest information available.

As a service to our customers, we’ve started posting a monthly bulletin when Patch Tuesday (second Tuesday of every month) rolls around. Below, you’ll find information about the new updates released from Microsoft and Adobe this cycle, and additional information provided by Kenna that may be helpful in prioritization of these newly released vulnerabilities.

At time of writing, one CVE from last month’s July release has had events detected in the wild by Kenna’s sensor network: CVE-2018-5028. The detected events showed targeting of a Heap Overflow in Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions.

If Kenna is aware of any exploits or exploitation events for newly released CVEs, this information will be mentioned in this post below. At time of writing, no exploits or exploitation events currently exist in Kenna’s intelligence feeds for any CVEs released today. 

As always, upon receiving new intelligence against a given CVE or vulnerability, Kenna Risk Meter scores are automatically adjusted upward for the specific CVE or software. To learn more about how Kenna scores assets and vulnerabilities, see our Scoring documents.

This month’s Microsoft release covered 60 new vulnerabilities, 20 of which are rated critical, 38 are rated important, one is rated moderate, and final one at low severity in the following 42 products:

  • ChakraCore
  • Internet Explorer 10
  • Internet Explorer 11
  • Internet Explorer 9
  • Microsoft .NET Framework 2.0-4.7
  • Microsoft Edge
  • Microsoft Excel 2010
  • Microsoft Excel 2013
  • Microsoft Excel 2016
  • Microsoft Excel Viewer 2007
  • Microsoft Exchange Server 2010
  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Office 2010
  • Microsoft Office 2013
  • Microsoft Office 2016
  • Microsoft Office 2016
  • Microsoft Office Web Apps 2010
  • Microsoft Office Web Apps 2013
  • Microsoft Office Word Viewer
  • Microsoft Outlook 2010
  • Microsoft Outlook 2013
  • Microsoft Outlook 2016
  • Microsoft PowerPoint 2010
  • Microsoft SQL Server 2016
  • Microsoft SQL Server 2017
  • Microsoft SQL Server 2017
  • Microsoft SharePoint Enterprise Server 2013
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Server 2013
  • Microsoft Visual Studio 2015
  • Microsoft Visual Studio 2017
  • Windows 10
  • Windows 7
  • Windows 8.1
  • Windows 8.1
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Word Automation Services

 

In addition, guidance was made available for mitigating new side-channel information disclosure issues – specifically Lazy FP State Restore (CVE-2018-3665) and the L1TF variant (CVE-2018-3620).

Adobe released bulletins and patches for 11 vulnerabilities this cycle, with 2 critical and 5 vulnerabilities rated important in the following products:

 

Flash and Reader are the most exploited client-side software of 2018 by number of unique CVEs detected in the wild – with one from last month’s release being actively exploited in the wild (see above) – so make sure to apply those patches first. As mentioned last month, Adobe Experience Manager typically runs on the perimeter and is easily discoverable. The Creative Cloud vulnerability is DLL hijacking in the installer, making it unlikely to be exploited in the wild.

Also, you can find a full listing of current CVEs here, with current – as of writing –  risk scores for older vulnerabilities. As always, Kenna scores are dynamic, and subject to significant adjustment based on new intelligence. To check the latest scores, sign up here.