The just-released Patch Tuesday for December includes a fix for the actively exploited Win32k Elevation of Privilege Vulnerability (CVE-2018-8611). The flaw allows an attacker to exploit a bug in the Windows Kernel and run arbitrary code to install programs; view, change, or delete data; or create new accounts with full user rights. It is also pointed out as likely being used with other bugs in targeted attacks.
The patch release fixes another vulnerability that’s worth noting: CVE-2018-8626, a Windows DNS Server Heap Overflow remote code execution (RCE) vulnerability that exists when DNS servers fail to properly handle requests. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the Local System Account. Taking advantage of the vulnerability can be done by sending a specially crafted request to an affected DNS server.
Other noteworthy patches in the batch include a Critical-rated remote code injection vulnerability in the .NET Framework and a text-to-speech RCE bug.
Microsoft closes out the year with 39 security patches and one advisory that cover issues in Internet Explorer (IE), Edge, ChakraCore, Microsoft Windows, Office and Microsoft Office Services and Web Apps, and the .NET Framework. Of the 39 CVEs, nine are listed as Critical and 30 as Important in severity. Five were disclosed through the Zero Day Initiative (ZDI) program.
On the Adobe front, a total of 87 CVEs were covered by their release, with 39 of these handled by the ZDI. All of the bugs are listed as Important, save for one Moderate CVE. As early as December 5, Adobe also shipped an early patch for Flash Player that addresses two CVEs, with one designated as CVE-2018-15982 and listed as under active attack. The use-after-free (UAF) exploit allows an attacker to execute code at the level of a logged on user. The embedded Flash SWF in a Microsoft Office document is being spread through spear phishing campaigns.
Trend Micro™ Deep Security and Vulnerability Protection protect user systems from any threats that may target the vulnerabilities addressed in this month’s round of updates via the following DPI rules:
- 1009409-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8583)
- 1009410-Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2018-8619)
- 1009411-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8617)
- 1009412-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8618)
- 1009413-Microsoft Text-To-Speech Remote Code Execution Vulnerability (CVE-2018-8634)
- 1009414-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2018-8631)
- 1009415-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8629)
- 1009416-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8624)
- 1009427-Microsoft PowerPoint Remote Code Execution Vulnerability (CVE-2018-8628)
- 1009428-Microsoft Outlook Remote Code Execution Vulnerability (CVE-2018-8587)
- 1009429-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2018-8643)
- 1009430-Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2018-8625)
- 1009431-Microsoft Windows Multiple Security Vulnerabilities (Dec-2018)
Trend Micro™ TippingPoint™ customers are protected from threats that may exploit this month’s list of vulnerabilities via these MainlineDV filters:
- 33685: HTTP: Microsoft Edge Chakra JIT Type Confusion Vulnerability
- 33686: HTTP: Microsoft Edge Chakra InlineArrayPush Type Confusion Vulnerability
- 33687: HTTP: Microsoft Edge Chakra defineSetter Type Confusion Vulnerability
- 33688: HTTP: Microsoft Edge Memory Corruption Vulnerability
- 33689: HTTP: Microsoft Edge ArrayBuffer Out-of-Bounds Write Vulnerability
- 33690: HTTP: Microsoft Internet Explorer Array Prototype Out-of-Bounds Write Vulnerability
- 33691: HTTP: Microsoft Edge SpeechSynthesis Buffer Overflow Vulnerability
- 33708: HTTP: Microsoft XML XSL VBScript Usage
- 33711: HTTP: Adobe Flash Player SWF Parsing Use-After-Free Vulnerability
- 33818: HTTP: Microsoft PowerPoint Use-After-Free Vulnerability
- 33819: HTTP: Microsoft Internet Explorer Use-After-Free Vulnerability
- 33820: HTTP: Microsoft Windows Kernel Use-After-Free Vulnerability
- 33822: HTTP: Microsoft Windows win32kfull.sys Integer Overflow Vulnerability