December 2018 Patch Tuesday: Microsoft patches Windows zero-day exploited in the wild

It’s Patch Tuesday again and, as per usual, both Microsoft and Adobe have pushed out patches for widely-used software packages.

December 2018 Patch Tuesday

The Microsoft patches

Microsoft’s December 2018 Patch Tuesday release is pretty lightweight: the company has plugged 38 CVE-numbered security holes, nine of which are considered to be Critical.

Among the most notable bugs in this batch are CVE-2018-8611, an elevation of privilege vulnerability that arises when the Windows kernel fails to properly handle objects in memory and CVE-2018-8626, a heap overflow vulnerability in the Windows DNS server that could allow an attacker to execute code in the context of the LocalSystem Account.

CVE-2018-8611 is an especially dangerous threat – a vulnerability in the Kernel Transaction Manager driver. It can also be used to escape the sandbox in modern web browsers, including Chrome and Edge, since syscall filtering mitigations do not apply to ntoskrnl.exe system calls,” Kaspersky Lab researchers explained. “Just like with CVE-2018-8589, we believe this exploit is used by several threat actors including, but possibly not limited to, FruityArmor and SandCat.”

Zero Day Initiative’s Dustin Childs pointed out that exploiting CVE-2018-8626 is as easy as sending a specially crafted request to an affected DNS server. “Since DNS servers are designed to handle requests, there’s no other real defense beyond applying the patch. If you’re running DNS servers in your enterprise, definitely prioritize this one,” he advises.

He also singled out CVE-2018-8634, a text-to-speech RCE bug, as interesting. “First, newer functionalities like text-to-speech have a somewhat unknown attack surface. Secondly, Microsoft doesn’t state a sample exploit scenario, but since generating speech requires an HTTP POST request to the Speech service, it’s possible this could be remotely accessible if your application is network facing. Either way, if you employ text-to-speech, don’t overlook this patch.”

Animesh Jain, Qualys’ product manager for VM Signatures, noted that out of the “critical” bugs patched, most are browser-related, so browser and Scripting Engine patches should be prioritized for workstation-type devices. “This includes multi-user servers that are used as remote desktops for users,” he added.

The Adobe patches

After getting an early start on the December release with an out-of-band patch for a newly exploited Flash zero-day vulnerability (CVE-2018-15982), Adobe has now fixed a bucketload of vulnerabilities affecting Adobe Acrobat and Reader for Windows and macOS.

Among these is CVE-2018-19716, a heap overflow bug unearthed by Aleksandar Nikolic of the Cisco Talos team, which may allow an attacker to remotely execute code on the victim’s machine.

The attacker simply needs to trick the user into opening a specially crafted PDF with specific JavaScript, a specially crafted email attachment, or visit a malicious web page.

(Microsoft has incorporated Adobe’s Flash patches into its Patch Tuesday bundle.)