December 2018 – Microsoft Patch Tuesday
‘Tis the season – for decking the halls, ringing the sleigh bells, playing reindeer games, and all the other traditions that come with the month of December in many parts of the world. While others are busy shopping ‘til they drop and wrapping packages to put under the tree, IT professionals are making a different kind of list to check twice – the list of all the software vulnerabilities that need to be patched before we can relax by the fire, roast chestnuts, and sip eggnog.
The good news is that for most Microsoft operating systems, this month doesn’t bring us quite as many updates as we sometimes see at year-end. Across all products, 38 security vulnerabilities are addressed by the Patch Tuesday updates. The bad news is that this slate of vulnerabilities includes at least one that is already actively being exploited – which means it’s even more important than usual to get those systems updated.
The Windows client and server operating systems, both Microsoft web browsers, Microsoft Office, and the .NET component all get security updates this month.
As always, the Malicious Software Removal Tool (MSRT) is updated to include the latest malware definitions.
Also of note, the December bulletin advises that “Because of minimal operations during the holidays and upcoming Western new year, there won’t be any preview releases for the month of December 2018. Monthly servicing will resume with the January 2019 security releases.”
The following security advisories were released on Patch Tuesday this month:
- ADV180029 — Inadvertently Disclosed Digital Certificates Could Allow Spoofing Microsoft is publishing this advisory to notify customers of two inadvertently disclosed digital certificates that could be used to spoof content and to provide an update to the Certificate Trust List (CTL) to remove user-mode trust for the certificates. The disclosed root certificates were unrestricted and could be used to issue additional certificates for uses such as code signing and server authentication.
- ADV180030 — November 20, 2018 Flash Updates This update addresses a critical remote code execution vulnerability in Adobe Flash on Windows RT 8.1, Windows 8.1 and 10, and Windows Server 2012, 2012 R2, 2016, and 2019.
- ADV180031 — December 2018 Adobe Flash Security Update This update addresses two critical remote code execution vulnerabilities in Adobe Flash on Windows RT 8.1, Windows 8.1 and 10, and Windows Server 2012, 2012 R2, 2016, and 2019.
- ADV990001 — Latest Servicing Stack Updates (updated) This is a list of the latest servicing stack updates for each operating sytem. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
Operating system, OS components, and web browser updates
Depending on which operating system you’re running, the December patches address anywhere from eight to nineteen different security issues. All of the currently supported Windows client and server operating systems are impacted by security issues. The latest version of Windows 10 – v. 1809 – is affected by the largest number of vulnerabilities: nineteen in all, with seventeen of those rated important and two rated critical.
The Zero Day vulnerability that is reported to have already been exploited is not one of those rated as critical:
- CVE-2018-8611 – Windows Kernel Elevation of Privilege Vulnerability This is an elevation of privilege vulnerability that exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploits this vulnerability could run arbitrary code in kernel mode and could then install programs or view, change, or delete data, or create new accounts with full user rights. The good news is that in order to exploit this vulnerability, an attacker would first have to log on to the system. Thus it has been rated important, rather than critical. According to Redmond Magazine, quoting Chris Goettl at Ivanti, the detected exploitation has been on older versions of Windows, and the impact on newer versions of the OS could be less severe.
This month we see a lower than usual number of vulnerabilities in the Microsoft web browers. Internet Explorer 11 has 4 vulnerabilities patched, with one critical and three rated important. Microsoft Edge has five vulnerabilities this time, and all five are rated critical.
Microsoft Office updates
This month there are twenty-five security updates and twelve non-security updates for Microsoft Office 2010, 2013, and 2016. You can see details about the Office security updates, including SharePoint Server, in KB 4477615.
Again this month, the .NET Framework has a vulnerability addressed by the patches. It’s another that is rated important:
- CVE-2018-8517 – .NET Framework Denial Of Service Vulnerability An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET Framework web application, which could be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Framework application. According to Microsoft, this vulnerability is not known to have been exploited prior to issuance of the patch, but it has been publicly disclosed.
In addition, there are fixes for “the usual suspects” such as Adobe Flash Player and ChakraCore, along with Microsoft Dynamics NAV, Microsoft Exchange Server, Microsoft Visual Studio, and Windows Azure Pack (WAP).
The following are some of the critical vulnerabilities addressed by this month’s updates:
- CVE-2018-8540 | .NET Framework Remote Code Injection Vulnerability A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- CVE-2018-8583 | Chakra Scripting Engine Memory Corruption Vulnerability A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.
- CVE-2018-8626 | Windows DNS Server Heap Overflow Vulnerability A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.
- CVE-2018-8634 | Microsoft Text-To-Speech Remote Code Execution Vulnerability A remote code execution vulnerability exists in Windows where Microsoft text-to-speech fails to properly handle objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
The above is only a sampling of some of the critical vulnerabilities addressed by this month’s patches. For example, there are multiple Chakra scripting engine vulnerabilities similar to the one described. You can download the Excel spreadsheet containing the complete listing of the updates from the Microsoft Security Updates Guide web site.