The November 2018 Security Update Review

November is here and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.

Adobe Patches for November 2018

For November, Adobe released patches covering Flash, Acrobat, and Photoshop. The Flash update corrects a single CVE that could allow an Out-Of-Bounds Read. The Important-severity bug could allow an information disclosure if exploited. The patch for Adobe Acrobat and Reader also correct a single info disclosure issue. Adobe notes the proof of concept code for this CVE has been made publicly available. Rounding things out, the Photoshop patch fixes a single Out-Of-Bounds read which could result in an information disclosure. This last bug was submitted through the ZDI program.

Microsoft Patches for November 2018

Microsoft released 63 security patches and three advisories covering Internet Explorer (IE), Edge, ChackraCore, Microsoft Windows, Microsoft Dynamics, Office and Microsoft Office Services and Web Apps, .NET Framework, and Skype for Business. Of these 63 CVEs, 12 are listed as Critical, 49 are rated Important, one is rated as Moderate, and one is rated Low in severity. A total of five of these CVEs came through the ZDI program. Two of these bugs are listed as publicly known at the time of release and one of these is reported as being actively exploited.

Let’s take a closer look at some of the more interesting patches for this month, starting with the issue currently under active attack:

-   CVE-2018-8589 – Win32k Elevation of Privilege Vulnerability
Just like last month, November has a Win32K (kernel-mode drivers) elevation of privilege vulnerability listed as currently under active attack. Also like last month, this bug was reported by researchers at Kaspersky Labs, indicating this bug is being used in malware. Again, this is likely being used in targeted attacks in combination with other bugs. Malware often uses kernel elevation bugs to go from user-mode to admin-mode, allowing them full control of a target system.

 -  CVE-2018-8450 – Windows Search Remote Code Execution Vulnerability
Local bugs are interesting, but I really like triggering things over the network. This patch corrects a problem in Windows Search that could allow a remote attacker to execute privileged code and take over a target system. There is a local component here, but Microsoft also states this could be done by an unauthenticated user via an SMB connection. Remotely triggering elevated code execution without authentication generally means wormable. Microsoft rates this as Important, but you should definitely treat it as Critical, especially since Microsoft also gives it the “Exploitation more likely” rating in its Exploit Index.

-  CVE-2018-8476 – Windows Deployment Services TFTP Server Remote Code Execution Vulnerability
This patch corrects a bug that could allow an attacker to execute code with elevated permissions through a specially crafted TFTP message. Getting elevated code execution over a network without authentication generally means wormable, but for this vulnerability, it would only be wormable to other affected TFTP servers. However, chances are your TFTP server also has other roles. Since this bug allows an attacker to take over a system, any other service – DNS, Active Directory, DHCP, etc. – could also be manipulated. If you’re running deployment services, don’t miss this patch.

-  CVE-2018-8566 – BitLocker Security Feature Bypass Vulnerability
The BitLocker encryption feature has had a rough month. First, it was shown that it could be bypassed due to bad SSD encryption. Microsoft released Advisory ADV180028 to address that problem. This patch corrects a vulnerability in the way BitLocker suspends device encryption. Someone with physical access could bypass encryption if they find a device in the correct, powered-off state. One of the primary reasons to roll out BitLocker is to prevent just this sort of scenario. If your enterprise uses BitLocker, definitely prioritize this update.

Here’s the full list of CVEs released by Microsoft for November 2018.

This month sees fewer browser-related patches than previous months, but there are still plenty of browser bugs to cover. There’s also a patch for VBScript that acts like a browser bug since it has the same exploit scenario (browse and own) as the web browsers. This one could also embed an ActiveX controls marked “safe for initialization” in an Office document and trick a user into opening it.

Remote code execution (RCE) bugs dominate this month’s release, with 24 patches for RCE bugs. Many of the RCE bugs corrected this month reside in the Office suite. Word, Excel, Project, SharePoint, and Outlook all receive patches in this release. The Outlook bugs are somewhat interesting, but none can be hit through the Preview Pane. Having an attacker rely on user interaction means defenders have to rely on user education, which is sometimes a risky bet.

Tampering is rarely seen impact, but there are two CVEs this month covering tampering vulns. The first is in .NET Core and could allow attackers to write arbitrary files on a system by sending specially crafted file to an affected system. However, attackers only have limited control over the destination for files. The other tampering bug affects PowerShell and could allow local attackers to execute unlogged code. There’s also a PowerShell RCE bug being patched. In this case, an attacker would need to send a specially crafted file to a target system.

There are also updates for the Windows graphics components, DirectX, Windows kernel, the COM Aggregate Marshaler, and Advanced Local Procedure Calls (ALPC). One of the graphics-related vulnerabilities could allow code execution when viewing a specially crafted image. One of the more esoteric Windows patches corrects an elevation of privilege that could occur if you installed certain builds of Windows from media for Windows 10, version 1809 and an attacker had physical access to the target. That’s a pretty specific attack scenario. 

Microsoft Dynamics also receives a fair amount of attention this month, with multiple patches delivering fixes for Microsoft Dynamics 365 (on-premises) version 8. The majority of these patches correct cross-site scripting (XSS) issues. There is also a patch for an RCE in Dynamics that could allow an attacker to execute code at the level of the SQL service account. While this won’t allow someone to completely take over a system, it does allows them to really mess with the information in a database.

Rounding out the November release is a patch for Microsoft Exchange to address an elevation of privilege bug. An attacker could use command injection to impersonate any other user on the Exchange Server. It would require a man-in-the-middle to be successful, but just imagine the hi-jinx that would ensue from sending out spoofed mail. Fortunately for Exchange admins, this bug can be rendered unexploitable just through the deletion of a registry key. That’s much less nerve wracking than a typical Exchange patch.

Finally, there are a few advisories to cover this month, as well. The aforementioned ADV180028, was released earlier on November 6, but it should not be ignored for those running BitLocker. ADV990001 provide a list of the latest servicing stack updates for each operating system. The final advisory for November is Microsoft’s version of the previously discussed Adobe patch for Flash in Internet Explorer.

Looking Ahead

The next patch Tuesday falls on December 11, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!