CVE-2018-8414
published 2018-08-15CVE-2018-8414: A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths, aka "Windows Shell Remote Code Execution…
PriorityP186high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
73.97%
99.4th percentile
A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths, aka "Windows Shell Remote Code Execution Vulnerability." This affects Windows 10 Servers, Windows 10.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10_servers | — | — |
| microsoft | windows_10_servers | — | — |
| msrc | windows_10_version_1703_for_32-bit_systems | — | — |
| msrc | windows_10_version_1703_for_x64-based_systems | — | — |
| msrc | windows_10_version_1709_for_32-bit_systems | — | — |
| msrc | windows_10_version_1709_for_x64-based_systems | — | — |
| msrc | windows_10_version_1803_for_32-bit_systems | — | — |
| msrc | windows_10_version_1803_for_x64-based_systems | — | — |
| msrc | windows_server_version_1709 | — | — |
| msrc | windows_server_version_1803 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor SettingContent-ms files for creation of new child processes, particularly PowerShell, cmd, mshta, certutil, bitsadmin, and WMI invocations originating from .settingcontent-ms file handling ↗
- →Flag .settingcontent-ms files with unusually large file sizes, as Icon-tag-based payloads embed unlimited-length obfuscated scripts and will be larger than normal ↗
- →Detect abuse of the Icon tag in SettingContent-ms files containing embedded scripts (e.g. ReflectivePEInjection, backdoors) beyond simple icon paths ↗
- →Hunt for .settingcontent-ms files embedded inside PDF documents, as this delivery vector was observed in the wild dropping FlawedAmmyy RAT ↗
- →Alert on PowerShell scripts executed via the DeepLink tag of a SettingContent-ms file that download and execute remote payloads ↗
- ·The DeepLink tag in a malicious SettingContent-ms file accepts a maximum of 517 characters, limiting the complexity of directly embedded commands; longer payloads must use the Icon tag instead ↗
- ·The Icon tag in SettingContent-ms accepts unlimited characters, enabling arbitrarily long and obfuscated payloads; file icon will appear blank regardless of Icon tag content, making visual inspection unreliable ↗
- ·CVE-2018-8414 affects only Windows 10 and Windows 10 Servers; SettingContent-ms was first introduced in Windows 10 ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
vendor_msrc4.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Windows Shell Remote Code Execution Vulnerability
cisa·2022-03-25·CVSS 8.8
CVE-2018-8414 [HIGH] CWE-20 Microsoft Windows Shell Remote Code Execution Vulnerability
Vulnerability: Microsoft Windows Shell Remote Code Execution Vulnerability
Affected: Microsoft Windows
A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-8414
Remediation Due Date: 2022-04-15
Microsoft
Windows Shell Remote Code Execution Vulnerability
vendor_msrc·2018-08-14·CVSS 4.8
CVE-2018-8414 [HIGH] Windows Shell Remote Code Execution Vulnerability
Windows Shell Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths.
An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on as an administrator, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with elevated privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges.
To exploit the vulnerability, an attacker must entice a user to open a specially crafted file. In an email attack scenario, an a
GHSA
GHSA-xg99-mpwj-gf2c: A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths, aka "Windows Shell Remote Code Execution Vu
ghsa_unreviewed·2022-05-14
CVE-2018-8414 [HIGH] CWE-20 GHSA-xg99-mpwj-gf2c: A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths, aka "Windows Shell Remote Code Execution Vu
A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths, aka "Windows Shell Remote Code Execution Vulnerability." This affects Windows 10 Servers, Windows 10.
VulnCheck
Microsoft Windows Shell Remote Code Execution Vulnerability
vulncheck·2018·CVSS 8.8
CVE-2018-8414 [HIGH] CWE-20 Microsoft Windows Shell Remote Code Execution Vulnerability
Microsoft Windows Shell Remote Code Execution Vulnerability
A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2018-Aug; https://www.zdnet.com/article/darkhydrus-abuses-windows-security-flaws-google-drive-to-deploy-roguerobin-trojan/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/275a9314d8be
Remediation Due: 2022-04-15
No detection rules found.
No public exploits indexed.
Securelist
IT threat evolution Q3 2018. Statistics
blogs_securelist·2018-11-12
IT threat evolution Q3 2018. Statistics
Table of Contents
Q3 figures
Mobile threats
Q3 events
Mobile threat statistics
Distribution of detected mobile apps by type
Geography of mobile threats
Mobile banking Trojans
Mobile ransomware Trojans
Attacks on IoT devices
Telnet attacks
Financial threats
Q3 events
Financial threat statistics
Geography of attacks
Cryptoware programs
Q3 events
Statistics
Number of new modifications
Number of users attacked by Trojan cryptors
Geography of attacks
Cryptominers
Statistics
Number of new modifications
Number of users attacked by cryptominers
Geography of attacks
Vulnerable apps used by cybercriminals
Attacks via web resources
Countries where online resources are seeded with malware
Countries where users faced the greatest risk of online infection
Local threats
Cou
Securelist
IT threat evolution Q3 2018. Statistics
blogs_securelist·2018-11-12
IT threat evolution Q3 2018. Statistics
Table of Contents
- Q3 figures
- Mobile threats
- Attacks on IoT devices
- Financial threats
- Cryptoware programs
- Cryptominers
- Vulnerable apps used by cybercriminals
- Attacks via web resources
- Local threats
Authors
- Victor Chebyshev
- Fedor Sinitsyn
- Denis Parinov
- Oleg Kupreev
- Evgeny Lopatin
- Alexander Liskin
These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data.
## Q3 figures
According to Kaspersky Security Network:
- Kaspersky Lab solutions blocked 947,027,517 attacks launched from online resources located in 203 countries.
- 246,695,333 unique URLs were recognized as malicious by Web Anti-Virus components.
- Attempted infections by malware designed to steal money via online access to
Trendmicro
SettingContent-ms Used for DeepLink Payload
blogs_trendmicro·2018-10-19·CVSS 8.8
[HIGH] SettingContent-ms Used for DeepLink Payload
Exploits & Vulnerabilities
## SettingContent-ms Used for DeepLink Payload
In July, we saw one spam campaign use malicious SettingContent-ms files embedded in a PDF to drop the remote access Trojan FlawedAmmyy. That campaign was mostly targeting banks in different countries across Asia and Europe.
By: Michael Villanueva Oct 19, 2018 Read time: ( words)
Save to Folio
Microsoft’s SettingContent-ms has become a recent topic of interest. In July, we saw one spam campaign use malicious SettingContent-ms files embedded in a PDF to drop the remote access Trojan FlawedAmmyy, a RAT also used by the Necurs botnet. That campaign was mostly targeting banks in different countries across Asia and Europe.
SettingContent-ms is a recent addition to Microsoft software, first introduced in Windows 10. T
Trendmicro
SettingContent-ms Used for DeepLink Payload
blogs_trendmicro·2018-10-19·CVSS 8.8
[HIGH] SettingContent-ms Used for DeepLink Payload
Ausnutzung von Schwachstellen
## SettingContent-ms Used for DeepLink Payload
In July, we saw one spam campaign use malicious SettingContent-ms files embedded in a PDF to drop the remote access Trojan FlawedAmmyy. That campaign was mostly targeting banks in different countries across Asia and Europe.
By: Michael Villanueva Oct 19, 2018 Read time: ( words)
Save to Folio
Microsoft’s SettingContent-ms has become a recent topic of interest. In July, we saw one spam campaign use malicious SettingContent-ms files embedded in a PDF to drop the remote access Trojan FlawedAmmyy, a RAT also used by the Necurs botnet. That campaign was mostly targeting banks in different countries across Asia and Europe.
SettingContent-ms is a recent addition to Microsoft software, first introduced in Windows 10
Trendmicro
SettingContent-ms Used for DeepLink Payload
blogs_trendmicro·2018-10-19·CVSS 8.8
[HIGH] SettingContent-ms Used for DeepLink Payload
Exploits & Vulnerabilities
# SettingContent-ms Used for DeepLink Payload
In July, we saw one spam campaign use malicious SettingContent-ms files embedded in a PDF to drop the remote access Trojan FlawedAmmyy. That campaign was mostly targeting banks in different countries across Asia and Europe.
By: Michael Villanueva
2018/10/19
Read time: ( words)
Save to Folio
Microsoft’s SettingContent-ms has become a recent topic of interest. In July, we saw one spam campaign use malicious SettingContent-ms files embedded in a PDF to drop the remote access Trojan FlawedAmmyy, a RAT also used by the Necurs botnet. That campaign was mostly targeting banks in different countries across Asia and Europe.
SettingContent-ms is a recent addition to Microsoft software, first introduced in Windows 10. The
Trendmicro
SettingContent-ms Used for DeepLink Payload
blogs_trendmicro·2018-10-19·CVSS 8.8
[HIGH] SettingContent-ms Used for DeepLink Payload
Exploits & Vulnerabilities
## SettingContent-ms Used for DeepLink Payload
In July, we saw one spam campaign use malicious SettingContent-ms files embedded in a PDF to drop the remote access Trojan FlawedAmmyy. That campaign was mostly targeting banks in different countries across Asia and Europe.
By: Michael Villanueva 2018/10/19 Read time: ( words)
Save to Folio
Microsoft’s SettingContent-ms has become a recent topic of interest. In July, we saw one spam campaign use malicious SettingContent-ms files embedded in a PDF to drop the remote access Trojan FlawedAmmyy, a RAT also used by the Necurs botnet. That campaign was mostly targeting banks in different countries across Asia and Europe.
SettingContent-ms is a recent addition to Microsoft software, first introduced in Windows 10. The
Trendmicro
SettingContent-ms Used for DeepLink Payload
blogs_trendmicro·2018-10-19·CVSS 8.8
[HIGH] SettingContent-ms Used for DeepLink Payload
Exploits y vulnerabilidades
## SettingContent-ms Used for DeepLink Payload
In July, we saw one spam campaign use malicious SettingContent-ms files embedded in a PDF to drop the remote access Trojan FlawedAmmyy. That campaign was mostly targeting banks in different countries across Asia and Europe.
By: Michael Villanueva Oct 19, 2018 Read time: ( words)
Save to Folio
Microsoft’s SettingContent-ms has become a recent topic of interest. In July, we saw one spam campaign use malicious SettingContent-ms files embedded in a PDF to drop the remote access Trojan FlawedAmmyy, a RAT also used by the Necurs botnet. That campaign was mostly targeting banks in different countries across Asia and Europe.
SettingContent-ms is a recent addition to Microsoft software, first introduced in Windows 10.
Trendmicro
August Patch Tuesday: A Tale of Two Zero-Days
blogs_trendmicro·2018-08-15·CVSS 7.5
[HIGH] August Patch Tuesday: A Tale of Two Zero-Days
Ausnutzung von Schwachstellen
## August Patch Tuesday: A Tale of Two Zero-Days
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
By: Trend Micro Aug 15, 2018 Read time: ( words)
Save to Folio
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
The first of these zero day vulnerabilities is CVE-2018-8373 , a use-after-free (UAF) vulnerability in VBscript engine that Trend Micro researchers found in Internet Explorer. This vulnerability bears many similarities to CVE-2018-8174 , another VBscript engine vulnerability that was patched back in May . Successful exploitation of this vulnerability could
Trendmicro
August Patch Tuesday: A Tale of Two Zero-Days
blogs_trendmicro·2018-08-15·CVSS 7.5
CVE-2018-8373 [HIGH] August Patch Tuesday: A Tale of Two Zero-Days
Exploits y vulnerabilidades
## August Patch Tuesday: A Tale of Two Zero-Days
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
By: Trend Micro Aug 15, 2018 Read time: ( words)
Save to Folio
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
The first of these zero day vulnerabilities is CVE-2018-8373 , a use-after-free (UAF) vulnerability in VBscript engine that Trend Micro researchers found in Internet Explorer. This vulnerability bears many similarities to CVE-2018-8174 , another VBscript engine vulnerability that was patched back in May . Successful exploitation of this vulnerability could a
Trendmicro
August Patch Tuesday: A Tale of Two Zero-Days
blogs_trendmicro·2018-08-15·CVSS 7.5
CVE-2018-8373 [HIGH] August Patch Tuesday: A Tale of Two Zero-Days
Exploits & Vulnerabilities
# August Patch Tuesday: A Tale of Two Zero-Days
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
By: Trend Micro
2018/08/15
Read time: ( words)
Save to Folio
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
The first of these zero day vulnerabilities is CVE-2018-8373, a use-after-free (UAF) vulnerability in VBscript engine that Trend Micro researchers found in Internet Explorer. This vulnerability bears many similarities to CVE-2018-8174, another VBscript engine vulnerability that was patched back in May. Successful exploitation of this vulnerability could allow a
Trendmicro
August Patch Tuesday: A Tale of Two Zero-Days
blogs_trendmicro·2018-08-15·CVSS 7.5
CVE-2018-8373 [HIGH] August Patch Tuesday: A Tale of Two Zero-Days
Exploits & Vulnerabilities
## August Patch Tuesday: A Tale of Two Zero-Days
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
By: Trend Micro Aug 15, 2018 Read time: ( words)
Save to Folio
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
The first of these zero day vulnerabilities is CVE-2018-8373 , a use-after-free (UAF) vulnerability in VBscript engine that Trend Micro researchers found in Internet Explorer. This vulnerability bears many similarities to CVE-2018-8174 , another VBscript engine vulnerability that was patched back in May . Successful exploitation of this vulnerability could al
Krebs
Patch Tuesday, August 2018 Edition
blogs_krebs·2018-08-15·CVSS 7.5
CVE-2018-8373 [HIGH] Patch Tuesday, August 2018 Edition
Adobe and Microsoft each released security updates for their software on Tuesday. Adobe plugged five security holes in its Flash Player browser plugin. Microsoft pushed 17 updates to fix at least 60 vulnerabilities in Windows and other software, including two “ zero-day ” flaws that attackers were already exploiting before Microsoft issued patches to fix them.
According to security firm Ivanti , the first of the two zero-day flaws ( CVE-2018-8373 ) is a critical flaw in Internet Explorer that attackers could use to foist malware on IE users who browse to hacked or booby-trapped sites. The other zero-day is a bug ( CVE-2018-8414 ) in the Windows 10 shell that could allow an attacker to run code of his choice.
Microsoft also patched more variants of the Meltdown/Spectre memory vulnerabilit
Trendmicro
August Patch Tuesday: A Tale of Two Zero-Days
blogs_trendmicro·2018-08-15·CVSS 7.5
CVE-2018-8373 [HIGH] August Patch Tuesday: A Tale of Two Zero-Days
Exploits & Vulnerabilities
## August Patch Tuesday: A Tale of Two Zero-Days
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
By: Trend Micro 2018/08/15 Read time: ( words)
Save to Folio
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
The first of these zero day vulnerabilities is CVE-2018-8373 , a use-after-free (UAF) vulnerability in VBscript engine that Trend Micro researchers found in Internet Explorer. This vulnerability bears many similarities to CVE-2018-8174 , another VBscript engine vulnerability that was patched back in May . Successful exploitation of this vulnerability could allo
Talos
Microsoft Tuesday August 2018
blogs_talos·2018-08-14·CVSS 9.8
[CRITICAL] Microsoft Tuesday August 2018
## Microsoft Tuesday August 2018
Microsoft released its monthly set of security advisories today for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 62 new vulnerabilities, 20 of which are rated “critical,” 38 that are rated “important,” one that is rated moderate and one that is rated as low severity. These vulnerabilities impact Windows Operating System, Edge and Internet Explorer, along with several other products.
In addition to the 60 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180020 which addresses the vulnerabilities described in the Adobe Flash Security Bulletin APSB18-25.
## Critical Vulnerabilities
This month, Microsoft is addressing 20 vulnerabilities that a
Talos
Microsoft Tuesday August 2018
blogs_talos·2018-08-14·CVSS 9.8
[CRITICAL] Microsoft Tuesday August 2018
Microsoft released its monthly set of security advisories today for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 62 new vulnerabilities, 20 of which are rated “critical,” 38 that are rated “important,” one that is rated moderate and one that is rated as low severity. These vulnerabilities impact Windows Operating System, Edge and Internet Explorer, along with several other products.
In addition to the 60 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180020 which addresses the vulnerabilities described in the Adobe Flash Security Bulletin APSB18-25.
### Critical Vulnerabilities
This month, Microsoft is addressing 20 vulnerabilities that are rated "critical." Talos believ
Zscaler
Zscaler protects against 10 new vulnerabilities for Internet Explorer, Microsoft Windows, Microsoft Edge & ChakraCore. | Zscaler
blogs_zscaler·CVSS 7.5
[HIGH] Zscaler protects against 10 new vulnerabilities for Internet Explorer, Microsoft Windows, Microsoft Edge & ChakraCore. | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://www.securityfocus.com/bid/105016http://www.securitytracker.com/id/1041458https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8414http://www.securityfocus.com/bid/105016http://www.securitytracker.com/id/1041458https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8414https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-8414
2018-08-15
Published
2022-03-25
Added to CISA KEV
Exploited in the wild