Memory corruption and buffer overflow bugs behind the issues

Nov 14, 2018 21:46 GMT  ·  By

Microsoft fixed multiple remote code execution vulnerabilities affecting Microsoft Word, Microsoft Excel, and Microsoft Windows Search allowing remote attackers to execute arbitrary code on vulnerable Windows systems.

Microsoft Word is affected by two memory corruption bugs (CVE-2018-8539 and CVE-2018-8573) which would allow remote attackers to craft malicious .doc files which would make it possible to execute arbitrary code under the current user's system privileges.

The bug works by making Microsoft Word fail when trying to handle memory objects properly and it can be exploited via email- or web-based attacks, either by sending the maliciously crafted file by email or by hosting it on a site the attacker controls.

The vulnerabilities affecting Microsoft Excel (CVE-2018-8577 and CVE-2018-8574) are both buffer overflows which just like the issues affecting Microsoft Word would allow potential remote attackers to execute arbitrary code on a target vulnerable system in the context of the currently logged in user.

"If the current user is logged on with administrative user rights, an attacker could take control of the affected system," says Microsoft in their advisory. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

Microsoft has issued security patches which fix all these RCE vulnerabilities

Because admin accounts give attackers the possibility to take full control of a system once they manage to compromise it, one should always use Windows under accounts with limited privileges to lessen the impact of a potential security breach.

A boundary error triggers the security issue when Microsoft Excel tries to process a specially crafted Excel document by an attacker. To successfully exploit this bug, bad actors have to trick their victims into opening such a malicious document to set off a memory corruption condition and allow for arbitrary code execution.

The Microsoft Windows Search remote code execution vulnerability (CVE-2018-8450) resides in the improper handling of memory objects by Windows' built-in indexed desktop search platform.

Moreover, the security issue is exploitable by remote attackers who can send maliciously crafted messages to the Windows Search service and triggering the vulnerability using an SMB connection, which would allow for arbitrary code execution and give them control of the target machine.

The security updates issued by Microsoft address these RCE vulnerabilities by correcting how Microsoft Word, Microsoft Excel, and Microsoft Windows Search handle objects in memory, effectively eliminating the memory corruption and buffer overflow exploitable security bugs.