November 2018 Patch Tuesday: Microsoft fixes 63 flaws, one actively exploited zero-day
As part of the November 2018 Patch Tuesday, Microsoft has released 62 security patches and several advisories.
There are 12 critical vulnerabilities among those patched this month, but CVE-2018-8589, a Windows Win32k elevation of privilege flaw that’s being actively exploited by attackers, is not one of them.
The attacks exploiting the flaw were flagged by Kaspersky Lab. “The exploit was executed by the first stage of a malware installer in order to gain the necessary privileges for persistence on the victim’s system. So far, we have detected a very limited number of attacks using this vulnerability. The victims are located in the Middle East,” the company’s researchers noted.
A similar vulnerability was reported by Kaspersky in August, and patched by Microsoft last month. As with that one, attackers using CVE-2018-8589 must first gain access to the system and then exploit this flaw to elevate their privileges to gain full control of a target system.
Other vulnerabilities and prioritizing patches
Trend Micro Zero Day Initiative’s Dustin Childs flagged CVE-2018-8450, a Window Search RCE flaw, as critical (although Microsoft does not).
“This patch corrects a problem in Windows Search that could allow a remote attacker to execute privileged code and take over a target system,” he explains. “There is a local component here, but Microsoft also states this could be done by an unauthenticated user via an SMB connection. Remotely triggering elevated code execution without authentication generally means wormable.”
The patch for CVE-2018-8476, a remote code execution flaw affecting Windows Deployment Services’ TFTP Server, should be prioritized if the service is used in the organization’s environment.
“This patch corrects a bug that could allow an attacker to execute code with elevated permissions through a specially crafted TFTP message. Getting elevated code execution over a network without authentication generally means wormable, but for this vulnerability, it would only be wormable to other affected TFTP servers,” Childs noted.
“However, chances are your TFTP server also has other roles. Since this bug allows an attacker to take over a system, any other service – DNS, Active Directory, DHCP, etc. – could also be manipulated. If you’re running deployment services, don’t miss this patch.”
Jimmy Graham, Director of Product Management at Qualys, advises administrators to prioritize:
- browser and Scripting Engine patches for workstation-type devices (and multi-user servers that are used as remote desktops for users), as out of the twelve critical vulnerabilities fixed, ten can be exploited through browsers or opening malicious files, and
- the CVE-2018-8609 patch if they use on-premises deployments of Microsoft Dynamics 365. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SQL service account, and alter the information contained in a database.
As a side note: Adobe has also released security updates on Tuesday, to address information disclosure vulnerabilities in Flash Player, Adobe Acrobat and Reader, and Adobe Photoshop CC.