[SingCERT] Advisory on Important Microsoft vulnerabilities affecting Office, .NET Framework and ASP.NET Core

Published on Friday, 12 January 2018 17:44

Background

On 9 January 2018, Microsoft announced the release of several security patches to fix vulnerabilities affecting Microsoft Office, the .NET Framework, and ASP.NET Core, amongst others.

There are three key vulnerabilities to note:
The first (zero-day) vulnerability, CVE-2018-0802, is a remote code execution hole in Microsoft Office. It is triggered when the user opens a specially crafted malicious Word file in Office or WordPad. The vulnerability can be exploited when users click on a link in an email or instant message, thereby opening the malicious file.

The second vulnerability, CVE-2018-0786, is a certificate validation bypass in .NET Framework, which allows invalid certificates to appear valid.

The third vulnerability, CVE-2018-0785, is a Cross-Site Request Forgery (CSRF) vulnerability in the individual authentication templates for ASP.NET Core. As a result, users are susceptible to account hijacking by way of a cross-site scripting attack.

Affected Products

CVE-2018-0802
  • Microsoft Office 2007, 2010, 2013, 2016
CVE-2018-0786
  • Microsoft .NET Framework 1.1, 2.0, 3.0, 3.5, 3.5.1, 4, 4.5, 4.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, and 4.7
  • .NET Core 1.0 and 2.0
CVE-2018-0785
  • ASP.NET Core 1.0. 1.1, and 2.0
Impact

An attacker can exploit these vulnerabilities for various malicious intents: 

CVE-2018-0802
  • Remote code execution, which allows the attacker to take complete control of the user's machine.
CVE-2018-0786
  • Bypass certain security restrictions and perform unauthorised actions which may aid in further cyber-attacks.
CVE-2018-0785
  • Change the recovery codes associated with the victim's user account without his/her consent. As a result, a victim who loses his/her 2FA device may be permanently locked out of his/her account as the initial recovery codes will not be valid. Also, the attacker will be able to perform unauthorised operations such as fund transfers from the victim's account.
Recommendations

References
https://www.theregister.co.uk/2018/01/09/patch_tuesday/
https://securityaffairs.co/wordpress/67578/security/january-2018-patch-tuesday.html
https://www.thezdi.com/blog/2018/1/9/the-january-2018-security-update-review