News

Microsoft's December Security Patches Includes Fixes for Two Active Exploits

• By Kurt Mackie
• 12/11/2018

Microsoft ended the patch year on Tuesday with a whimper of sorts, releasing an estimated 39 security fixes in its December bundle plus one security advisory, according to a count by Trend Micro's Zero Day Initiative.

Details on the December security updates are listed in Microsoft's Security Update Guide. The 42 pages in the guide this month can be kind of daunting, though.

At least IT pros will get a break from having to check patch previews this month, according to a "Note" tucked away in the December bulletins, which states:

Because of minimal operations during the holidays and upcoming Western new year, there won't be any preview releases for the month of December 2018. Monthly servicing will resume with the January 2019 security releases.

Microsoft typically releases its main bunch of security and quality patches on "update Tuesdays," which are the second Tuesdays of the month. The next such release will be expected on Jan. 8, 2019.

The December bundle of security bulletins includes nine that are rated "Critical" by Microsoft and 30 that are rated "Important," according to the Zero Day Initiative. Cisco's Talos blog also offered an overview, although the Talos team counted 38 total vulnerabilities in this patch release, with nine being Critical and 29 being Important.

Security researchers this week highlighted two of the Important-rated patches in this December bundle, mostly because activity by attackers has already been detected.

For instance, one Important-rated patch addresses a "zero-day" Windows kernel flaw (CVE-2018-8611) that's exposed in all Microsoft-supported Windows operating systems. This flaw has already been exploited, according to the Zero Day Initiative. A zero-day flaw is one that apparently wasn't known to a software publisher. This particular flaw in Windows systems could be used by attackers to gain elevation-of-privilege capabilities, according to Chris Goettl, director of product management for security at Ivanti, but the flaw could be less severe for newer Windows OSes, he suggested.

"Exploitation has been detected on older OSes already, but the Exploitability Index is rated as a 1 for Windows 10 and Server 2019," Goettl indicated, per an e-mail, regarding this zero-day Windows flaw.

The Zero Day Initiative explained this flaw as a Win32 kernel flaw that "was reported by researchers at Kaspersky Labs, indicating this bug is being used in malware."

Goettl also highlighted an Important-rated patch for a .NET Framework kernel flaw (CVE-2018-8517). It's a patch for a publicly known issue, which consequently could be expected to proliferate among attackers. The flaw, if exploited, could lead to denial-of-service attacks. It's a difficult issue to exploit, but it could be done remotely, he noted.

"The vulnerability can be exploited remotely without authentication by issuing a specially crafted request to the vulnerable application," Goettl noted regarding the .NET Framework kernel flaw.

None of the nine Critical-rated flaws are known to be exploited, according to the Zero Day Initiative.

Goettl reminded IT pros to patch the Adobe Flash Player this month. He also noted that Oracle's Java SE 8 product will fall out of support "in January 2019," adding that "Java SE 11 is the next planned Long-Term Support release."

Ivanti publishes its Patch Tuesday blog posts at this page and is planning to host a recap discussion session on Microsoft's and other software vendors' patches on Dec. 12.