If you saw the Patch Tuesday forecast for December, the reality turned out to be fairly close to what I predicted. There are only a few surprises and additional concerns to note.

December Patch Tuesday Summary:

  • Microsoft released a total of 17 updates resolving 39 unique vulnerabilities. They resolved one zero-day and one publicly disclosed vulnerability. Affected software includes Windows, Office, Sharepoint, .Net Framework, Exchange Server, and the browsers of course. There is also a Flash update for IE that was released earlier, but make sure you include this in your maintenance as it resolves some zero-days from Adobe.
  • Adobe released a critical Acrobat and Reader update resolving 87 unique vulnerabilities. Adobe also led up to Patch Tuesday with a November 20 and December 5 release of Adobe Flash Player resolving two zero-day vulnerabilities.
  • Mozilla released updates for FireFox and FireFox ESR resolving 11 unique vulnerabilities.

Microsoft resolves one zero-day vulnerability in the Windows kernel (CVE-2018-8611) which can allow an attacker to execute an Elevation-of-Privilege, enabling the culprit to run arbitrary code in kernel mode. The attacker would first have to log on to the system then run a specially crafted application to take control of the affected system. This vulnerability exists in all currently supported Windows operating systems from Windows 7 to Server 2019. Exploitation has been detected on older OSs already, but the Exploitability Index is rated as a 1 for Windows 10 and Server 2019.

Microsoft has resolved a publicly disclosed vulnerability in .Net Framework (CVE-2018-8517) that could allow a denial-of-service in .Net Framework web applications. The vulnerability can be exploited remotely without authentication by issuing a specially crafted request to the vulnerable application. The vulnerability is rated as Important likely due to complexity to exploit, but it has been publicly disclosed, meaning enough information has been revealed to the public to give a threat actor a head start on creating an exploit to take advantage of the vulnerability. Public disclosures increase the odds a vulnerability will be exploited.

Ensure you have deployed the latest Adobe Flash Player updates.

Leading up to Patch week Adobe has resolved two zero-day vulnerabilities in Flash Player. On 11/20 CVE-2018-15981 was resolved in APSB18-44. The vulnerability has been seen in live exploits by crafting a Flash .swf file to take advantage of the vulnerability and install malware.

On December 5 another Flash zero-day (CVE-2018-15982) was resolved  in APSB18-42, which has been observed in a widespread campaign that was exploited through ActiveX embedded in a Microsoft Office document.

Priorities:

  • Microsoft operating system updates are urgent this month with the nasty zero-day vulnerability in the Windows kernel (CVE-2018-8611).
  • Adobe Flash for Desktop, IE, Chrome and other variations are urgent with two zero-day vulnerabilities. Systems can have multiple instances of Flash Player, so ensuring you can update all of them is very important. CVE-2018-15981 was resolved in APSB18-44 and (CVE-2018-15982) was resolved in APSB18-42.
  • Adobe Acrobat Reader and Acrobat resolve a high number of vulnerabilities and should be updated as soon as possible.
  • Mozilla Firefox resolves several critical vulnerabilities and warrants some attention as well since the browser is an easy user-targeted entry point for attackers.

In other news:

Oracle CPU in January – Keep in mind Java SE 8 is reaching the end of public updates in January 2019. Java SE 11 is the next planned long-term support release. If you have not already started, that is the ideal migration path for long-term support. If you cannot move yet, Oracle will be making private updates available for an additional cost.