Microsoft has patched 32 vulnerabilities this month, which is relatively light compared to the 50+ that they normally patch. One “zero-day” vulnerability was also patched in this update that allowed for privilege escalation. With the exception of that “zero-day” in the kernel, the most notable vulnerabilities were in Microsoft’s web browsers.
Internet Explorer and Edge
Microsoft’s browsers received a number of fixes this month, with two notable ones allowing for remote code execution. Edge received a fix for CVE-2018-8624, and Explorer received a fix for CVE-2018-8631 to address the remote code execution bugs. Attackers exploiting these vulnerabilities would gain rights equal to that of the current user.
This month’s previously mentioned zero-day vulnerability, CVE-2018-8611, was actively exploited in the wild prior to patching. Unprivileged users could gain control over vulnerable systems after logging in locally. This could be used in conjunction with a remote attack to grant the remote attacker greater privileges.
Office products received six fixes for the holiday season. Attackers exploiting these vulnerabilities could gain access to sensitive information, execute code with privileges equal to that of the current user, and cause denial of service conditions. As usual, MS Office products typically do not require a high level of privilege in order to complete their tasks. Be sure to run them with the principle of least privilege (PoLP) in mind.
Similar to a few months ago, Windows DNS was patched for a remote code execution vulnerability. An attacker would exploit this vulnerability by crafting and sending a malicious request to the DNS server. The server would then be compromised at the Local System Account level. Microsoft has rated the chances of exploiting this particular vulnerability as less likely.
Adobe Flash Player
Adobe brought their holiday patches as early gifts this month, releasing an out-of-band patch for two remote code execution vulnerabilities that were being actively exploited in the wild. Attackers exploiting these vulnerabilities would gain rights equal to that of the current user. Adobe Flash has two more years of life left in it, as Adobe has promised to stop updating and distributing Flash Player by the end of 2020. Until then, it is important to update Adobe Flash Player or uninstall it altogether.