Zero-day exploits resolved by Microsoft on May Patch Tuesday

Administrators will have fewer zero-day exploits to worry about -- including the Double Kill vulnerability -- after rolling out the May Patch Tuesday updates.

The updates resolved the Double Kill vulnerability (CVE-2018-8174), which was discovered by security firm Qihoo 360 that affected all supported Windows operating systems. The critical vulnerability allowed an attacker to perform remote code execution through a variety of ways, such as a compromised website, ads or Office documents.

"It gave a very wide number of attack possibilities in this case," said Chris Goettl, director of product management at Ivanti, based in South Jordan, Utah. "That would definitely make it so that the OS updates this month are a high priority."

A second zero-day exploit (CVE-2018-8120) resolved this month gave attackers the opportunity to exploit how Win32k handles objects in memory to elevate their privilege. In Windows 7, Windows Server 2008 and Windows Server 2008 R2, the attacker could run arbitrary code in kernel mode to view or edit data, create new accounts or install programs.

Chris Goettl

"If hypothetically an attacker were to use that Double Kill exploit on a Windows 7 box, but the user was a regular user, they could then use this attack, elevate their privilege level, and now they've got full control of the system," Goettl said.

The zero-day exploits are two of the more than 65 vulnerabilities overall that Microsoft addressed in the May Patch Tuesday updates, many of which affect operating systems, browsers and Office. Exchange administrators should note two patches, including one that addresses a spoofing vulnerability (CVE-2018-8153).

"[There's] an interesting one, an [Outlook Web Access] issue where somebody could perform an injection attack by crafting an email properly and then having a user access that in OWA," said Gill Langston, director of product management at Qualys, based in Redwood City, Calif.

Another Exchange patch addresses a memory corruption vulnerability (CVE-2018-8154), which an attacker could use to execute code.

Internet Explorer and Edge also have multiple high-priority patches again this month.

After resolving zero-day exploits and more critical patches, administrators' attention should turn to patches securing Hyper-V. One (CVE-2018-0961) allows a guest operating system to send Hyper-V packets to the host to compromise it. Another (CVE-2018-0959) addresses arbitrary code execution from a guest application on an operating system.

For more information about the remaining security bulletins for May Patch Tuesday, visit Microsoft's Security Update Guide.