Microsoft’s November Patch Tuesday Addresses 64 Vulnerabilities

November 13 2018 marked Microsoft’s November Patch Tuesday. The day saw the release of patches and security updates for Windows, Internet Explorer, Edge, and other Microsoft products.

In total, 64 vulnerabilities were addressed across the range of Microsoft products. There were 12 vulnerabilities which were considered “critical” by developers. The updates are hoped to protect Microsoft devices against malware attacks, which are becoming increasingly prevalent.  

The 12 critical vulnerabilities could allow hackers to execute malicious code and take full control of a vulnerable device. The majority of the critical vulnerabilities are in the Chakra Scripting Engine, which account for 8 of the 12 critical flaws.

CVE-2018-8541, CVE-2018-8542, CVE-2018-8543, CVE-2018-8551, CVE-2018-8555, CVE-2018-8556, CVE-2018-8557, and CVE-2018-8588, are all memory corruption vulnerabilities concerning how the Chakra Scripting Engine handles objects in the memory in Microsoft Edge. All eight vulnerabilities could be exploited if a user visits a specially crafted webpage using the Microsoft Edge browser. The vulnerabilities could also be exploited through malvertising.

The other critical vulnerabilities are listed below:

CVE-2018-8476 concerns how objects in the memory are handled by Windows Deployment Services TFTP Server. Exploitation of the vulnerability would allow a hacker to execute arbitrary code on a vulnerable server with elevated permissions.

CVE-2018-8544 concerns how objects in the memory are handled by Windows VBScript Engine. If exploited, an attacker could execute arbitrary code with the same level of privileges as the current user.  If the user has administrative rights, an attacker could take full control of a vulnerable system. The vulnerability could be exploited via an embedded Active X control in a Microsoft Office file that hosts the IE rendering engine, via malvertising, or specially crafted webpages.

CVE-2018-8553 concerns how objects in the memory are handled by Microsoft Graphics Components. Exploitation of the vulnerability would require a user to open a specially crafted file, for instance, one sent in a phishing email.

CVE-2018-8609 is the failure of Microsoft Dynamics 365 (on-premises) version 8 to sanitize web requests to a Dynamics server. If exploited, an attacker could run arbitrary code in the context of an SQL service. The flaw could be exploited by sending a specially crafted request to an unpatched Dynamics server.

Microsoft also issued a patch for the actively exploited Windows Win32k Elevation of Privilege Vulnerability CVE-2018-8589. If exploited, an attacker could run arbitrary code in the security context of the local system. However, system access would first need to be gained before the flaw could be exploited.

Adobe has also issued patches this patch Tuesday for Flash Player, Acrobat, Reader, and Photoshop CC.

The CVE-2018-15978 flaw in Flash Player has been addressed in the update. This out-of-bounds read flaw that would potentially allow an attacker to see sensitive data. A similar out-of-bounds read flaw was identified in Photoshop CC (CVE-2018-15980), which has also been addressed. 

For Acrobat and Reader, November’s patch clears up CVE-2018-15978, an information disclosure flaw that would allow attackers to lift NTLM single sign-on password hashes. No exploitations of this flaw have been reported, but proof-of-concept code has been posted online for the flaw.