Microsoft December Patch Tuesday Overview

Microsoft has issued patches for 39 vulnerabilities this December 2018 Patch Tuesday. Of the vulnerabilities, 10 were rated critical, 9 of which were in Microsoft products and one in Adobe Flash player. Two vulnerabilities were identified as being actively exploited in the wild.

The patches cover the following products and services: Microsoft Windows, Microsoft Office, Internet Explorer, Microsoft Edge, Microsoft Office SharePoint, Microsoft Graphics Component, Microsoft Exchange Server Microsoft Dynamics, Microsoft Scripting Engine, Microsoft Windows DNS, Visual Studio, Windows Authentication Methods, Windows Azure Pack, Windows Kernel, Windows Kernel-Mode Drivers, and .NET Framework.

The critical vulnerabilities affect the Chakra Scripting Engine of Microsoft Edge (5), .NET framework (1), Microsoft Text-to-Speech (1), Internet Explorer (1), and Windows DNS server (1).

  • CVE-2018-8583; CVE-2018-8617; CVE-2018-8618; CVE-2018-8624; CVE-2018-8629: Chakra Scripting Engine: Memory corruption vulnerabilities due to how Microsoft Edge handles memory objects. Exploitation would require a user to visit a specially crafted website, through a link in a phishing email or malvertising, for example.
  • CVE-2018-8540: .NET Framework: A remote code injection vulnerability when the .NET framework fails to validate input correctly. An attacker could gain full control of an affected system if an admin user’s account is compromised.
  • CVE-2018-8626: Windows DNS Server: A heap overflow vulnerability affecting Windows servers configured as DNS servers, which could allow remote code execution on the Local System Account.
  • CVE-2018-8631: Internet Explorer: A memory corruption vulnerability that could allow remote code execution. Exploitation would require a user to visit a specially crafted website, through a link in a phishing email, for example.
  • CVE-2018-8634: Microsoft Text-to-Speech: Remote code execution vulnerability due to a failure to correctly handle objects in the memory. Flaw could be exploited to take full control of a vulnerable system.
  • ADV180031: Adobe Flash Player: Adobe patched two vulnerabilities in an out-of-band update on December 5. Microsoft has addressed these vulnerabilities, which are currently being exploited in the wild.

In response to a number of recently discovered vulnerabilities, Adobe has released 87 updates. Of these updates, 39 were rated critical and could allow an attacker to execute arbitrary code or elevate privileges on vulnerable devices. Many of the vulnerabilities could be used together to give an attacker full control of a vulnerable computer.  Some of the patches were directed at Acrobat and PDF Reader products. The bundle included a patch for yet another zero-day flaw in Flash Player that is already being exploited in the wild.

These patches are in addition to an out-of-bounds update issued earlier in December to fix two actively exploited vulnerabilities.

All patches should be applied as soon as possible.