1. IT-Security >
  2. Hacking >
  3. The December 2018 Security Update Review


ArabicEnglishFrenchGermanGreekItalianJapaneseKoreanPersianPolishPortugueseRussianSpanishTurkishVietnamese

The December 2018 Security Update Review

RSS Kategorie Pfeil Hacking vom | Quelle: thezdi.com Direktlink öffnen

December is here and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.

Adobe Patches for December 2018

Adobe got an early start on the December release by shipping their patch for Flash on December 5. The patch actually addresses two CVEs, but only one – CVE-2018-15982 – is listed as being under active attack. The attack involves an embedded Flash SWF within a Microsoft Office document. The use-after-free exploit allows the attacker to execute code at the level of the logged on user. The document is spread through spear phishing campaigns, so remember the importance of good email practices. Flash exploitation had been on the decline since browsers are doing more to block Flash content. However, exploit writers have shifted their techniques to embedding Flash in Office docs to take advantage of vulnerabilities in the media player. 

Today, Adobe released a massive update for Acrobat and Reader covering 87 CVEs. A total of 39 of these came through the ZDI program. The security bulletin also acknowledges ZDI researcher Abdul-Aziz Hariri for his defense-in-depth contributions to hardening JavaScript API restrictions bypasses and for his contributions to mitigate the Onix Indexing attack surface. None of these CVEs are noted as being under active attack. All but one of these are listed as Important in severity, with the exception being a lone Moderate CVE. About half of these CVEs cover Out-Of-Bounds (OOB) read bugs, but the patch also corrects UAFs, OOB writes, security feature bypasses, buffer errors, heap overflows, integer overflows, and an untrusted pointer dereference. This is the second Reader patch of this magnitude in 2018. It will be interesting to see if the volume continues in 2019.

Microsoft Patches for December 2018

Microsoft closes out 2018 with a relatively small release of 39 security patches and one advisory covering Internet Explorer (IE), Edge, ChackraCore, Microsoft Windows, Office and Microsoft Office Services and Web Apps, and the .NET Framework. Of these 39 CVEs, 9 are listed as Critical and 30 are rated Important in severity. A total of five of these CVEs came through the ZDI program. One of these bugs is listed as publicly known at the time of release and one of these is reported as being actively exploited.

Let’s take a closer look at some of the more interesting patches for this month, starting with the issue currently under active attack:

-       CVE-2018-8611 – Win32k Elevation of Privilege Vulnerability
For the third month in a row, December has a Win32K (kernel-mode drivers) elevation of privilege vulnerability listed as currently under active attack. And, as was the case in previous months, this bug was reported by researchers at Kaspersky Labs, indicating this bug is being used in malware. Again, this is likely being used in targeted attacks in combination with other bugs.

-       CVE-2018-8626 – Windows DNS Server Heap Overflow Vulnerability
This corrects a bug in the Windows DNS server that could allow an attacker to execute code in the context of the LocalSystem Account. While it doesn’t have permissions to everything, it has plenty. Exploiting this vulnerability is as easy as sending a specially crafted request to an affected DNS server. Since DNS servers are designed to handle requests, there’s no other real defense beyond applying the patch. If you’re running DNS servers in your enterprise, definitely prioritize this one. 

-       CVE-2018-8540 – .NET Framework Remote Code Injection Vulnerability
This patch addresses a Critical-rated RCE in the .NET Framework that could allow an attacker to take control of a system if they passed specific input to an application utilizing susceptible .NET methods. It’s not clear if .NET applications need to be recompiled after this patch is applied, but that’s often the case to be fully protected from input validation bugs.

-       CVE-2018-8634 – Microsoft Text-To-Speech Remote Code Execution Vulnerability
This patch is interesting for a couple of different reasons. First, newer functionalities like text-to-speech have a somewhat unknown attack surface. This isn’t the first text-to-speech related bug – Android had one a few years ago – but it’s certainly not often seen. Secondly, Microsoft doesn’t state a sample exploit scenario, but since generating speech requires an HTTP POST request to the Speech service, it’s possible this could be remotely accessible if your application is network facing. Either way, if you employ text-to-speech, don’t overlook this patch.

Here’s the full list of CVEs released by Microsoft for December 2018.

CVE Title Severity Public Exploited XI - Latest XI - Older Type
CVE-2018-8611 Windows Kernel Elevation of Privilege Vulnerability Important No Yes 1 0 EoP
CVE-2018-8517 .NET Framework Denial Of Service Vulnerability Important Yes No 3 3 DoS
CVE-2018-8540 .NET Framework Remote Code Injection Vulnerability Critical No No 2 2 RCE
CVE-2018-8583 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8617 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8618 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8624 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8626 Windows DNS Server Heap Overflow Vulnerability Critical No No 2 2 RCE
CVE-2018-8629 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2018-8631 Internet Explorer Memory Corruption Vulnerability Critical No No 1 1 RCE
CVE-2018-8634 Microsoft Text-To-Speech Remote Code Execution Vulnerability Critical No No 1 1 RCE
CVE-2018-8477 Windows Kernel Information Disclosure Vulnerability Important No No 1 1 Info
CVE-2018-8514 Remote Procedure Call runtime Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2018-8580 Microsoft SharePoint Information Disclosure Vulnerability Important No No 3 3 Info
CVE-2018-8587 Microsoft Outlook Remote Code Execution Vulnerability Important No No 1 1 RCE
CVE-2018-8595 Windows GDI Information Disclosure Vulnerability Important No No 1 1 Info
CVE-2018-8596 Windows GDI Information Disclosure Vulnerability Important No No 1 1 Info
CVE-2018-8597 Microsoft Excel Remote Code Execution Vulnerability Important No No 1 1 RCE
CVE-2018-8598 Microsoft Excel Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2018-8599 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2018-8604 Microsoft Exchange Server Tampering Vulnerability Important No No 2 2 Tampering
CVE-2018-8612 Connected User Experiences and Telemetry Service Denial of Service Vulnerability Important No No 1 1 DoS
CVE-2018-8619 Internet Explorer Remote Code Execution Vulnerability Important No No 1 1 RCE
CVE-2018-8621 Windows Kernel Information Disclosure Vulnerability Important No No N/A 1 Info
CVE-2018-8622 Windows Kernel Information Disclosure Vulnerability Important No No N/A 1 Info
CVE-2018-8625 Windows VBScript Engine Remote Code Execution Vulnerability Important No No 1 1 RCE
CVE-2018-8627 Microsoft Excel Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2018-8628 Microsoft PowerPoint Remote Code Execution Vulnerability Important No No 1 1 RCE
CVE-2018-8635 Microsoft SharePoint Server Elevation of Privilege Vulnerability Important No No 3 3 EoP
CVE-2018-8636 Microsoft Excel Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2018-8637 Win32k Information Disclosure Vulnerability Important No No 1 1 Info
CVE-2018-8638 DirectX Information Disclosure Vulnerability Important No No 1 1 Info
CVE-2018-8639 Win32k Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2018-8641 Win32k Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2018-8643 Scripting Engine Memory Corruption Vulnerability Important No No 1 1 RCE
CVE-2018-8649 Windows Denial of Service Vulnerability Important No No N/A N/A DoS
CVE-2018-8650 Microsoft Office SharePoint XSS Vulnerability Important No No N/A N/A XSS
CVE-2018-8651 Microsoft Dynamics NAV Cross Site Scripting Vulnerability Important No No 2 2 XSS
CVE-2018-8652 Windows Azure Pack Cross Site Scripting Vulnerability Important No No N/A N/A XSS

Although a smaller overall set of patches, browser-related bugs make up about 25% of the total release. This includes the VBScript bugs that act like browser bugs since they have the same exploit scenario (browse and own) as the web browsers. Interestingly, these are list as Important severity instead of Critical. According to Microsoft’s severity classification guide, client systems get Critical ratings for “Network Worms, or unavoidable common browsing/use scenarios where client is compromised without warnings or prompts.” Perhaps these Important-rated bugs pop some warning not clearly stated in the vulnerability description.

Another quarter of this release is related to the Office and Office SharePoint group of applications. The most interesting is likely the patch for Outlook due to the proliferation of phishing-related attacks (see above). Fortunately, the Preview Pane is not an attack vector for this bug. And, before you say “I’d never fall for that!” – imagine an attack that combined this with the bug from ZDI-18-1355 that allows you to impersonate any user. Suddenly, that spreadsheet labelled “executive_pay.xlsx” from $bossname becomes pretty tempting. Speaking of Exchange, there’s an additional Tampering bug in this month’s release, too. That sort of attack scenario shows how bugs that don’t directly lead to code execution can still be tremendously impactful.

This month also sees several patches for the kernel and kernel-mode drivers, including DirectX. ZDI research Fritz Sands recently blogged about kernel elevation through DirectX, which shows how broad this attack surface can be. Rounding out this month’s patches are a few more information disclosure and security feature bypass bugs in Windows components and a few cross-site scripting (XSS) bugs in Microsoft Dynamics, SharePoint, and Windows Azure Pack.

Finally, the only advisory for December is Microsoft’s version of the previously discussed Adobe patch for Flash in Internet Explorer.

Looking Ahead

The next patch Tuesday falls on January 8 of 2019, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!

...

Webseite öffnen Komplette Webseite öffnen

Newsbewertung

Kommentiere zu The December 2018 Security Update Review






Ähnliche Beiträge

  • 1. CentOS Blog: CentOS Pulse Newsletter, January 2019 (#1901) vom 1048.13 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, We wish you a happy and prosperous 2019, full of CentOS! Releases and updates SIG updates Events Contributing to the newsletter Releases and updates December was a very busy month for releases and updates. The following releases a
  • 2. CentOS Blog: CentOS Pulse Newsletter, January 2019 (#1901) vom 1048.13 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, We wish you a happy and prosperous 2019, full of CentOS! Releases and updates SIG updates Events Contributing to the newsletter Releases and updates December was a very busy month for releases and updates. The following releases a
  • 3. CentOS Blog: CentOS Pulse Newsletter, January 2019 (#1901) vom 1048.13 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, We wish you a happy and prosperous 2019, full of CentOS! Releases and updates SIG updates Events Contributing to the newsletter Releases and updates December was a very busy month for releases and updates. The following releases a
  • 4. The November 2018 Security Update Review vom 267.84 Punkte ic_school_black_18dp
    November is here and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month. Adobe Patches for November 2018
  • 5. USN-3544-1: Firefox vulnerabilities vom 225.24 Punkte ic_school_black_18dp
    Ubuntu Security Notice USN-3544-1 24th January, 2018 firefox vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Firefox could be made to crash or
  • 6. The December 2018 Security Update Review vom 222.96 Punkte ic_school_black_18dp
    December is here and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month. Adobe Patches for December 2018
  • 7. The October 2018 Security Update Review vom 220.85 Punkte ic_school_black_18dp
    October is upon us and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month. Adobe Patches for October 2018 A
  • 8. CentOS Blog: CentOS Pulse Newsletter, September 2018 (#1804) vom 195.38 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, Here's what's been happening in the past month at CentOS Releases and Updates The following releases and updates happened in August. For each update, the given URL provides the upstream notes about the change. Releases We're ple
  • 9. CentOS Blog: CentOS Pulse Newsletter, October 2018 (#1805) vom 147.35 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, Here's what's been happening in the past month at CentOS Releases and Updates The following releases and updates happened in August. For each update, the given URL provides the upstream notes about the change. Errata and Enhance
  • 10. USN-4118-1: Linux kernel (AWS) vulnerabilities vom 146.9 Punkte ic_school_black_18dp
    linux-aws vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 18.04 LTS Ubuntu 16.04 LTS Summary Several security issues were fixed in the Linux kernel. Software Description linux-aws - Linux kernel for Amazon Web Services
  • 11. USN-3415-2: tcpdump vulnerabilities vom 125.17 Punkte ic_school_black_18dp
    Ubuntu Security Notice USN-3415-2 13th September, 2017 tcpdump vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.04 LTS Summary Several security issues were fixed in tcpdump Software description tcpdump
  • 12. USN-3415-1: tcpdump vulnerabilities vom 122.71 Punkte ic_school_black_18dp
    Ubuntu Security Notice USN-3415-1 13th September, 2017 tcpdump vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Several security issues were fixed