icetray - Fotolia
In a prelude to its April Patch Tuesday updates, Microsoft released several out-of-band patches in recent weeks, including one that plugs a zero-day exploit the company created when it tried to correct earlier Meltdown patches.
With any luck, Windows administrators have heard the last of any lingering vulnerability issues stemming from patches related to the Meltdown and Spectre CPU bugs after Microsoft released unscheduled fixes to close an exploit caused by previous Meltdown fixes. Microsoft released an out-of-band patch on March 29 to close a Windows kernel escalation of privilege vulnerability (CVE-2018-1038) for Windows 7 and Windows Server 2008 R2 64-bit systems.
"The access to the RAM on the system is apparently wide open unless you apply the update they made available," said Chris Goettl, director of product management at Ivanti, based in South Jordan, Utah. "If people haven't already, this is definitely an urgent update for this month."
Microsoft credited security researcher Ulf Frisk for his work to uncover the "Total Meltdown" zero-day exploit in systems that installed a number of the company's patches, including monthly rollups and security-only updates from January, February and March.
The execution of the exploit, rated important, required an attacker to have login credentials for the system and then run a specially crafted program to overtake the machine. The attacker could then perform various tasks, such as make new accounts with full user rights, delete data or install programs.
Out-of-band patches address malware engine flaw
A few days after Microsoft addressed Total Meltdown, the company on April 3 released out-of-band patches for all supported Windows operating systems, Exchange Server 2013 and 2016, and several security products to address a critical vulnerability. The update corrects a remote code execution exploit (CVE-2018-0986) in the Microsoft Malware Protection Engine.
Microsoft credited Thomas Dullien of Google Project Zero for uncovering the memory corruption flaw, which Microsoft caused when it modified open source UnRAR code that is more than five years old to alter integer values from signed to unsigned. A majority of the systems this vulnerability affects are Windows systems running Windows Defender.
The exploit is particularly dangerous for the Windows 8, 8.1 and 10 client operating systems because Windows Defender is the default antivirus application with real-time protection enabled. The antimalware application scans all files automatically, meaning the exploit requires no interaction from the user. If an unpatched system scans a specially crafted file compressed in RAR format from an email attachment or a file downloaded from a website, for instance, the attacker takes control of the system.
This patch might not require any manual intervention if administrators enabled automatic updates for products that use the Microsoft Malware Protection Engine. According to Microsoft, affected systems with the automated update configuration should have gotten updated definitions that closed the exploit 48 hours after the April 3 release.
"For most people, this should have already plugged itself automatically," Goettl said.
Administrators can verify their systems have the update with at least version 1.1.14700.5 by going to Help in Windows Defender and clicking About to see the engine version number.
April Patch Tuesday plugs more than 60 vulnerabilities
Microsoft addressed more than 60 vulnerabilities in April Patch Tuesday, and administrators should address the multiple critical exploits in operating systems, Office applications and web browsers.
Two client system vulnerabilities to pay particular attention to are an Office remote code execution vulnerability (CVE-2018-1026) and one specific to Excel (CVE-2018-0920). Neither has been publicly disclosed or exploited, but together they create "a pair of perfect kind of vulnerabilities for exploiting an end user," Goettl said.
In both exploits, an attacker uses specially crafted files to gain access equal to the user. If the organization follows a least privileges policy, that mitigates this type of attack. If the exploit compromises an administrator, the attacker gains access to the whole system. The Office remote code execution vulnerability is not specific to any document type.
Administrators should also prioritize patches for workstations and servers to address five critical remote-code execution vulnerabilities -- CVE-2018-1010, CVE-2018-1012, CVE-2018-1013, CVE-2018-1015 and CVE-2018-1016 -- in the Windows font library due to the threat of multiple attack vectors.
"These can be exploited through a web-based attack or file-sharing attack," said Jimmy Graham, director of product management at Qualys Inc., based in Redwood City, Calif. "Someone can open a malicious file and be exploited."
Microsoft also closed an elevation of privilege exploit for CVE-2018-1034, a vulnerability rated important for SharePoint Enterprise Server 2016. An attacker can take advantage of an unpatched SharePoint server by sending a specially crafted request that allows the attacker to perform unsanctioned actions, such as gain access to unauthorized content. Because the exploit had been publicly disclosed -- which means threat actors get advance notice of the vulnerability -- administrators should patch affected systems quickly despite its relatively low risk level, Goettl said.
"Important vulnerabilities get exploited, because they get overlooked," he said.
In other patch news, Microsoft no longer requires an antivirus compliance key for Windows systems that it initiated in January, according to Goettl. Microsoft stopped this requirement for Windows 10 in March, and for the other supported Windows systems on April Patch Tuesday.
For more information about the remaining security bulletins for April Patch Tuesday, visit Microsoft's Security Update Guide.
Tom Walat is the site editor for SearchWindowsServer. Write to him at firstname.lastname@example.org or follow him @TomWalatTT on Twitter. SearchWindowsServer associate editor Kristen Gloss contributed to this report.