December 2018 Security Update from Microsoft – A Closer Look

Microsoft has recently rolled out the last patches of this year; December 2018 Security Update. In addition, Advisory on .NET Framework, ChackraCore, Microsoft Windows, Internet Explorer (IE), Edge, Office and Microsoft Office Services and Web Apps is released. Out of the 39 CVEs (Common Vulnerabilities and Exposure), the severity status of 9 is critical, while 30 CVEs are marked important. One of the bugs is reported to be under active attack in the Advisory.

In short, though the patch is a comparatively smaller one with just 39 CVEs, it is something you must prioritize. So, here, let’s take you through a brief review of the December 2018 Security Update Microsoft.

December 2018 Security Update from Microsoft

December 2018 Security Update from Microsoft

The update released on 11th December 2018 (Patch Tuesday, December) is a cumulative update. The patch consists of security updates as well as all the other fixed introduced until then. You system downloads these updates automatically. If you’d like to get the stand-alone version, you can download from Microsoft Update Catalog as well.

Threats and vulnerabilities

About 25 percent of the entire release relates to browser-related bugs. Office and Office SharePoint group of application constitute to another major part of the release. Some other important patches include those for the Kernel, DirectX and other kernel-mode drivers.

Of the 39 patches released as the 2018 December security update, the following are some of the important bugs covered.

CVE-2018-8517 – .NET Framework Denial of Service Vulnerability

This bug results in .NET framework being unable to handle some web requests appropriately. When exploited, this vulnerability may result in denial of service in a web application. It is possible for an attacker to exploit this bug without any kind of authentication. Some changes are brought in, so as to handle the .NET framework denial of service vulnerabilities.

CVE-2018-8611 – Windows Kernel Elevation of Privilege Vulnerability

This vulnerability relates to Windows Kernel’s inability to handle objects in its memory. If exploited, an attacker may run specific codes arbitrarily to change data, create an account or install programs with complete user privilege. In accordance with reports, this vulnerability is already being actively exploited.

CVE-2018-8634 – Microsoft Text-To-Speech Remote Code Execution Vulnerability

This patch can be important for those who employ or use text to speech. Though the chances of attacks are sleek, vulnerabilities exist as text-to-speech involves sending an HTTP POST request to the “Speech service”. And, like in case of Elevation of Privilege threat, when exploited, the invader can take control over the system affected.

CVE-2018-8540 – .NET Framework Remote Code Injection Vulnerability

Classified ‘critical’ under severity status, RCI vulnerability involves the failure of the .NET network to correctly validate the input. When exploited, the attacker can manipulate the affected system by using susceptible .NET methods to pass a particular code or input.

Follow the entire list of CVEs –

Used abbreviations –

RCI: “Remote Code Injection”
EMC: “Engine Memory Corruption”
RCE: “Remote Code Execution”
DOS: “Denial of Service”.

A closer look at December 2018 Security Updates from Microsoft details and the complete list of CVEs in the Advisory –

Vulnerability/Title Severity status Type Public XI – Latest XI – Older Exploited
CVE-2018-8611 –

Windows Kernel: Elevation of Privilege Vulnerability

Important EoP No 1 0 Yes
CVE-2018-8540 -.

NET Framework RCI Vulnerability

Critical RCE No 2 2 No
CVE-2018-8583 –

Chakra Scripting EMC Vulnerability

Critical RCE No 1 NA No
CVE-2018-8617 –

Chakra Scripting EMC Vulnerability

Critical RCE No 1 NA No
CVE-2018-8629 –

Chakra Scripting EMC Vulnerability

Critical RCE No 1 NA No
CVE-2018-8626 –

Windows DNS Server-Heap Overflow Vulnerability

Critical RCE No 2 2 No
CVE-2018-8624 –

Chakra Scripting EMC Vulnerability

Critical RCE No 1 NA No
CVE-2018-8618 –

Chakra Scripting EMC Vulnerability

Critical RCE No 1 NA No
CVE-2018-8634 –

Microsoft Text-To-Speech RCE Vulnerability

Critical RCE No 1 1 No
CVE-2018-8631 –

Internet Explorer Memory Corruption Vulnerability

Critical RCE No 1 1 No
CVE-2018-8517 –

.NET Framework DOS Vulnerability

Important DoS Yes 3 3 No
CVE-2018-8514 –

Remote Procedure Call runtime Information Disclosure Vulnerability

Important Info No 2 2 No
CVE-2018-8477 –

Windows Kernel Information Disclosure Vulnerability

Important Info No 1 1 No
CVE-2018-8587 –

Microsoft Outlook RCE Vulnerability

Important RCE No 1 1 No
CVE-2018-8580 –

Microsoft SharePoint Information Disclosure Vulnerability

Important Info No 3 3 No
CVE-2018-8596 –

Windows GDI Information Disclosure Vulnerability

Important Info No 1 1 No
CVE-2018-8595 –

Windows GDI Information Disclosure Vulnerability

Important Info No 1 1 No
CVE-2018-8598 –

Microsoft Excel Information Disclosure Vulnerability

Important Info No 2 2 No
CVE-2018-8597 –

Microsoft Excel RCE Vulnerability

Important RCE No 1 1 No
CVE-2018-8604 –

Microsoft Exchange Server Tampering Vulnerability

Important Tampering No 2 2 No
CVE-2018-8599 –

Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability

Important EoP No 1 1 No
CVE-2018-8619 –

Internet Explorer RCE Vulnerability

Important RCE No 1 1 No
CVE-2018-8612 –

Connected User Experiences and Telemetry Service DOS Vulnerability

Important Dos No 1 1 No
CVE-2018-8621 –

Windows Kernel Information Disclosure Vulnerability

Important Info No 1 NA No
CVE-2018-8625 –

Windows VBScript Engine RCE Vulnerability

Important RCE No 1 1 No
CVE-2018-8622 –

Windows Kernel Information Disclosure Vulnerability

Important Info No 1 1 No
CVE-2018-8628 –

Microsoft PowerPoint RCE Vulnerability

Important RCE No 1 1 No
CVE-2018-8627 –

Microsoft Excel Information Disclosure Vulnerability

Important Info No 2 2 No
CVE-2018-8635 –

Microsoft SharePoint Server Elevation of Privilege Vulnerability

Important Info No 2 2 No
CVE-2018-8639 –

Win32k Elevation of Privilege Vulnerability

Important EoP No 1 1 No
CVE-2018-8636 –

Microsoft Excel RCE Vulnerability

Important RCE No 2 2 No
CVE-2018-8638 –

DirectX Information Disclosure Vulnerability

Important Info No 1 1 No
CVE-2018-8637 –

Win32k Information Disclosure Vulnerability

Important Info No 1 1 No
CVE-2018-8641 –

Win32k Elevation of Privilege Vulnerability

Important Eop No 1 1 No
CVE-2018-8643 –

Scripting EMC Vulnerability

Important RCE No 1 1 No
CVE-2018-8649 –

Windows DOS Vulnerability

Important DoS No NA NA No
CVE-2018-8650 –

Microsoft Office SharePoint XSS Vulnerability

Important XSS No NA NA No
CVE-2018-8652 –

Windows Azure Pack Cross-Site Scripting Vulnerability

Important XSS No NA NA No
CVE-2018-8651 –

Microsoft Dynamics NAV Cross-Site Scripting Vulnerability

Important XSS No 2 2 No

That’s all!!!

           

Leave a Reply

Your email address will not be published. Required fields are marked *