November 2018 Patch Tuesday

Welcome back to this month’s Patch Tuesday. Microsoft has patched 62 vulnerabilities this month, including two that had details disclosed prior to patching, and one “zero-day” vulnerability in Windows that was actively being exploited. The bulk of the vulnerabilities focus on web browsers.

Internet Explorer and Edge

Microsoft’s browsers received a host of fixes this month. Eight vulnerabilities in the Chakra Scripting Engine were patched for Internet Explorer and Edge. Attackers may be able to execute arbitrary code by luring a victim to a website hosting maliciously crafted content. Attackers would gain the same user rights as the current user.

Kernel

Like last month, a vulnerability in the Windows Kernel was patched that was actively being exploited. The attacker would have to have been logged into the system, but it would allow them to elevate their privileges to system level. Attackers leveraged this vulnerability against Windows 7 and Server 2008 targets in the wild.

Office

As usual, MS Office was host to many vulnerabilities that were patched this month. Over 20 vulnerabilities were addressed in this month’s patches. Attackers exploiting these vulnerabilities could gain access to sensitive information, execute code with privileges equal to that of the current user, and cause denial of service conditions.

Adobe Flash Player

Adobe Flash Player was patched for an Out-of-Bounds read vulnerability that could allow for remote code execution. As usual, Microsoft has bundled the patch with their update service due to the frequency of discovery of Adobe Flash player vulnerabilities.

Bitlocker

A previously disclosed vulnerability in Windows Bitlocker encryption technology was patched this month. Attackers exploiting the vulnerability would have been able to bypass the encryption features to access protected data. Specifically, SSDs that were encrypted using BitLocker were suspended in a state that, if found powered off, would be readable without decryption.