iTnews
  • Home
  • News
  • Technology
  • Security

Microsoft patches Docker remote code execution bug

By Juha Saarinen on May 3, 2018 9:47AM
Microsoft patches Docker remote code execution bug

No evidence of public exploit.

Microsoft has issued a patch for a critical vulnerability in the Docker for Windows subsystem that could be exploited for remote code execution on host machines.

Identified as CVE-2018-8115, the flaw affects the Windows Host Compute Service Shim, a management layer abstraction for low-level Docker functionality such as control groups, namespaces, and file system capabilities.

Microsoft explained in a security advisory that the vulnerability could be exploited by attackers to run arbitrary code on targeted systems.

"To exploit the vulnerability, an attacker would place malicious code in a specially crafted container image which, if an authenticated administrator imported (pulled), could cause a container management service utilising the Host Compute Service Shim library to execute malicious code on the Windows host," Microsoft said.

Version 0.6.10 of the Windows Host Compute Service Shim (hcsshim) fixes the vulnerability.

Swiss software engineer Michael Hanselman discovered the issue, and reported it to Microsoft and Docker in February this year.

While Hanselman has yet to publish full details of the vulnerability and a proof of concept for it, at the behest of Microsoft, he explained that it involves imported Docker images being able to make file system changes outside the containers.

While Microsoft rates the vulnerability as critical, the company said that it has not been exploited, nor publicly disclosed.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
containersdockerhcsshimmichael hanselmanmicrosoftsecurityvirtualisation

Partner Content

Digital signatures propel Australian Unity with rapid time to value
Digital signatures propel Australian Unity with rapid time to value
How to turn digital complexity into competitive advantage
Promoted Content How to turn digital complexity into competitive advantage
Avoiding CAPEX by making on-premise IT more cloud-like
Promoted Content Avoiding CAPEX by making on-premise IT more cloud-like
Winning strategies for complaints and disputes management in financial services
Promoted Content Winning strategies for complaints and disputes management in financial services

Sponsored Whitepapers

Free eBook: Digital Transformation 101 – for banks
Free eBook: Digital Transformation 101 – for banks
Why financial services need to tackle their Middle Office
Why financial services need to tackle their Middle Office
Learn: The latest way to transfer files between customers
Learn: The latest way to transfer files between customers
Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see

Events

  • Forrester Technology & Innovation Asia Pacific 2022
By Juha Saarinen
May 3 2018
9:47AM
0 Comments

Related Articles

  • Patch Wednesday fixes two-year-old Dogwalk vulnerability
  • Microsoft details massive phishing operation
  • Microsoft's monthly patch includes four serious bugs
  • Poor patching creates easy zero-day vulnerability reuse
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Services Australia sets changeover date for myGov

Services Australia sets changeover date for myGov

Google Cloud IoT Core goes on the end-of-life list

Google Cloud IoT Core goes on the end-of-life list

NBN Co proposes to axe CVC across all plans by mid-2026

NBN Co proposes to axe CVC across all plans by mid-2026

NSW Police dumps Bezos-backed Mark43 from core systems overhaul

NSW Police dumps Bezos-backed Mark43 from core systems overhaul

Digital Nation

Edge and IoT critical to Web3 infrastructure
Edge and IoT critical to Web3 infrastructure
CommBank’s mobile banking app beats ANZ, NAB, Suncorp and Westpac: Forrester
CommBank’s mobile banking app beats ANZ, NAB, Suncorp and Westpac: Forrester
Stakes are higher for cybersecurity in Web3: Gal Tal-Hochberg, CTO at Team8
Stakes are higher for cybersecurity in Web3: Gal Tal-Hochberg, CTO at Team8
Crypto losses to crime surge to $1.9 B in first half of 2022: Chainalysis
Crypto losses to crime surge to $1.9 B in first half of 2022: Chainalysis
Save the Date — Digital Nation Live launches on October 25
Save the Date — Digital Nation Live launches on October 25
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.