Microsoft has recently rolled out the last patches of this year; December 2018 Security Update. In addition, Advisory on .NET Framework, ChackraCore, Microsoft Windows, Internet Explorer (IE), Edge, Office and Microsoft Office Services and Web Apps is released. Out of the 39 CVEs (Common Vulnerabilities and Exposure), the severity status of 9 is critical, while 30 CVEs are marked important. One of the bugs is reported to be under active attack in the Advisory.
In short, though the patch is a comparatively smaller one with just 39 CVEs, it is something you must prioritize. So, here, let’s take you through a brief review of the December 2018 Security Update Microsoft.
December 2018 Security Update from Microsoft
The update released on 11th December 2018 (Patch Tuesday, December) is a cumulative update. The patch consists of security updates as well as all the other fixed introduced until then. You system downloads these updates automatically. If you’d like to get the stand-alone version, you can download from Microsoft Update Catalog as well.
Threats and vulnerabilities
About 25 percent of the entire release relates to browser-related bugs. Office and Office SharePoint group of application constitute to another major part of the release. Some other important patches include those for the Kernel, DirectX and other kernel-mode drivers.
Of the 39 patches released as the 2018 December security update, the following are some of the important bugs covered.
CVE-2018-8517 – .NET Framework Denial of Service Vulnerability
This bug results in .NET framework being unable to handle some web requests appropriately. When exploited, this vulnerability may result in denial of service in a web application. It is possible for an attacker to exploit this bug without any kind of authentication. Some changes are brought in, so as to handle the .NET framework denial of service vulnerabilities.
CVE-2018-8611 – Windows Kernel Elevation of Privilege Vulnerability
This vulnerability relates to Windows Kernel’s inability to handle objects in its memory. If exploited, an attacker may run specific codes arbitrarily to change data, create an account or install programs with complete user privilege. In accordance with reports, this vulnerability is already being actively exploited.
CVE-2018-8634 – Microsoft Text-To-Speech Remote Code Execution Vulnerability
This patch can be important for those who employ or use text to speech. Though the chances of attacks are sleek, vulnerabilities exist as text-to-speech involves sending an HTTP POST request to the “Speech service”. And, like in case of Elevation of Privilege threat, when exploited, the invader can take control over the system affected.
CVE-2018-8540 – .NET Framework Remote Code Injection Vulnerability
Classified ‘critical’ under severity status, RCI vulnerability involves the failure of the .NET network to correctly validate the input. When exploited, the attacker can manipulate the affected system by using susceptible .NET methods to pass a particular code or input.
Follow the entire list of CVEs –
Used abbreviations –
RCI: “Remote Code Injection”
EMC: “Engine Memory Corruption”
RCE: “Remote Code Execution”
DOS: “Denial of Service”.
A closer look at December 2018 Security Updates from Microsoft details and the complete list of CVEs in the Advisory –
| Vulnerability/Title | Severity status | Type | Public | XI – Latest | XI – Older | Exploited |
| CVE-2018-8611 – Windows Kernel: Elevation of Privilege Vulnerability | Important | EoP | No | 1 | 0 | Yes |
| CVE-2018-8540 -. NET Framework RCI Vulnerability | Critical | RCE | No | 2 | 2 | No |
| CVE-2018-8583 – Chakra Scripting EMC Vulnerability | Critical | RCE | No | 1 | NA | No |
| CVE-2018-8617 – Chakra Scripting EMC Vulnerability | Critical | RCE | No | 1 | NA | No |
| CVE-2018-8629 – Chakra Scripting EMC Vulnerability | Critical | RCE | No | 1 | NA | No |
| CVE-2018-8626 – Windows DNS Server-Heap Overflow Vulnerability | Critical | RCE | No | 2 | 2 | No |
| CVE-2018-8624 – Chakra Scripting EMC Vulnerability | Critical | RCE | No | 1 | NA | No |
| CVE-2018-8618 – Chakra Scripting EMC Vulnerability | Critical | RCE | No | 1 | NA | No |
| CVE-2018-8634 – Microsoft Text-To-Speech RCE Vulnerability | Critical | RCE | No | 1 | 1 | No |
| CVE-2018-8631 – Internet Explorer Memory Corruption Vulnerability | Critical | RCE | No | 1 | 1 | No |
| CVE-2018-8517 – .NET Framework DOS Vulnerability | Important | DoS | Yes | 3 | 3 | No |
| CVE-2018-8514 – Remote Procedure Call runtime Information Disclosure Vulnerability | Important | Info | No | 2 | 2 | No |
| CVE-2018-8477 – Windows Kernel Information Disclosure Vulnerability | Important | Info | No | 1 | 1 | No |
| CVE-2018-8587 – Microsoft Outlook RCE Vulnerability | Important | RCE | No | 1 | 1 | No |
| CVE-2018-8580 – Microsoft SharePoint Information Disclosure Vulnerability | Important | Info | No | 3 | 3 | No |
| CVE-2018-8596 – Windows GDI Information Disclosure Vulnerability | Important | Info | No | 1 | 1 | No |
| CVE-2018-8595 – Windows GDI Information Disclosure Vulnerability | Important | Info | No | 1 | 1 | No |
| CVE-2018-8598 – Microsoft Excel Information Disclosure Vulnerability | Important | Info | No | 2 | 2 | No |
| CVE-2018-8597 – Microsoft Excel RCE Vulnerability | Important | RCE | No | 1 | 1 | No |
| CVE-2018-8604 – Microsoft Exchange Server Tampering Vulnerability | Important | Tampering | No | 2 | 2 | No |
| CVE-2018-8599 – Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability | Important | EoP | No | 1 | 1 | No |
| CVE-2018-8619 – Internet Explorer RCE Vulnerability | Important | RCE | No | 1 | 1 | No |
| CVE-2018-8612 – Connected User Experiences and Telemetry Service DOS Vulnerability | Important | Dos | No | 1 | 1 | No |
| CVE-2018-8621 – Windows Kernel Information Disclosure Vulnerability | Important | Info | No | 1 | NA | No |
| CVE-2018-8625 – Windows VBScript Engine RCE Vulnerability | Important | RCE | No | 1 | 1 | No |
| CVE-2018-8622 – Windows Kernel Information Disclosure Vulnerability | Important | Info | No | 1 | 1 | No |
| CVE-2018-8628 – Microsoft PowerPoint RCE Vulnerability | Important | RCE | No | 1 | 1 | No |
| CVE-2018-8627 – Microsoft Excel Information Disclosure Vulnerability | Important | Info | No | 2 | 2 | No |
| CVE-2018-8635 – Microsoft SharePoint Server Elevation of Privilege Vulnerability | Important | Info | No | 2 | 2 | No |
| CVE-2018-8639 – Win32k Elevation of Privilege Vulnerability | Important | EoP | No | 1 | 1 | No |
| CVE-2018-8636 – Microsoft Excel RCE Vulnerability | Important | RCE | No | 2 | 2 | No |
| CVE-2018-8638 – DirectX Information Disclosure Vulnerability | Important | Info | No | 1 | 1 | No |
| CVE-2018-8637 – Win32k Information Disclosure Vulnerability | Important | Info | No | 1 | 1 | No |
| CVE-2018-8641 – Win32k Elevation of Privilege Vulnerability | Important | Eop | No | 1 | 1 | No |
| CVE-2018-8643 – Scripting EMC Vulnerability | Important | RCE | No | 1 | 1 | No |
| CVE-2018-8649 – Windows DOS Vulnerability | Important | DoS | No | NA | NA | No |
| CVE-2018-8650 – Microsoft Office SharePoint XSS Vulnerability | Important | XSS | No | NA | NA | No |
| CVE-2018-8652 – Windows Azure Pack Cross-Site Scripting Vulnerability | Important | XSS | No | NA | NA | No |
| CVE-2018-8651 – Microsoft Dynamics NAV Cross-Site Scripting Vulnerability | Important | XSS | No | 2 | 2 | No |
That’s all!!!