Patch Tuesday December 2018

In what Microsoft says will be the last cumulative update in 2018 before the holiday season, there are patches for 38 CVEs, including a zero-day.

Windows 10 and Server 2016

This month there are patches for 12 CVEs for Windows 10 and Server 2016, 2 of which are rated critical. CVE-2018-8626 is a DNS server heap overflow vulnerability that could allow an attacker to run arbitrary code in the context of the Local System Account on Windows Servers by sending malicious requests to servers where the DNS service is installed. A remote code execution vulnerability in Microsoft Text-To-Speech could let an attacker take control of affected systems. Users who run with fewer privileges are at less risk.

There are three escalation of privilege patches rated important, six information disclosure patches and one denial of service, all rated important. CVE-2018-8611 is a Windows kernel escalation of privilege vulnerability where the kernel fails to properly handle objects in memory, allowing an attacker to run code in kernel mode. This flaw would require an attacker to log in to a system and then run code to exploit the vulnerability. Microsoft says that this flaw is already being exploited.

The Microsoft Edge and ChakraCore are patched for 5 critical remote code execution vulnerabilities. All of them could allow an attacker to run arbitrary code in the context of the logged-on user, so users without administrative privileges are at less risk. The .NET Framework also gets a patch for a remote code injection vulnerability that could allow an attacker to install programs and create new accounts with full user rights. Internet Explorer 11 gets three remote code execution patches, one of which is a memory corruption vulnerability that is rated critical and it could allow an attacker to run code in the context of the logged-on user.

Windows 7 and Server 2008

Windows 7, Server 2008, and Server 2008 R2 get 9 patches this month. Two are for escalation of privilege – see above for information on CVE-2018-8611 – and the rest are information disclosure. CVE-2018-8641 is a critical Win32k elevation of privilege vulnerability but it is not currently being exploited.

Microsoft Servers

Exchange Server 2016 Cumulative Update 10 and 11 get an important patch to fix a tampering vulnerability that could be used to change users’ profile data. Microsoft SharePoint Enterprise Server 2016 gets three patches for elevation of privilege, remote code execution, and spoofing flaws, all rated important. Microsoft Dynamics NAV 2016 and 2017 get a patch for an important spoofing flaw that could allow an attacker to read data the logged-in user isn’t authorized to view and take actions on the victim’s behalf, like changing permissions and deleting data.

Microsoft Office

Office 365 ProPlus (Click to Run) gets six important patches. Four are remote code execution flaws and two are information disclosure. Users running without administrative privileges are at less risk from the remote code execution flaws.

Adobe

Patches for Flash Player were already released a few days before Patch Tuesday, but new versions of Acrobat and Reader were released, fixing 87 vulnerabilities, 39 of which are critical.