The December 2018 Security Update Review
December 11, 2018 | Dustin ChildsDecember is here and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.
Adobe Patches for December 2018
Adobe got an early start on the December release by shipping their patch for Flash on December 5. The patch actually addresses two CVEs, but only one – CVE-2018-15982 – is listed as being under active attack. The attack involves an embedded Flash SWF within a Microsoft Office document. The use-after-free exploit allows the attacker to execute code at the level of the logged on user. The document is spread through spear phishing campaigns, so remember the importance of good email practices. Flash exploitation had been on the decline since browsers are doing more to block Flash content. However, exploit writers have shifted their techniques to embedding Flash in Office docs to take advantage of vulnerabilities in the media player.
Today, Adobe released a massive update for Acrobat and Reader covering 87 CVEs. A total of 39 of these came through the ZDI program. The security bulletin also acknowledges ZDI researcher Abdul-Aziz Hariri for his defense-in-depth contributions to hardening JavaScript API restrictions bypasses and for his contributions to mitigate the Onix Indexing attack surface. None of these CVEs are noted as being under active attack. All but one of these are listed as Important in severity, with the exception being a lone Moderate CVE. About half of these CVEs cover Out-Of-Bounds (OOB) read bugs, but the patch also corrects UAFs, OOB writes, security feature bypasses, buffer errors, heap overflows, integer overflows, and an untrusted pointer dereference. This is the second Reader patch of this magnitude in 2018. It will be interesting to see if the volume continues in 2019.
Microsoft Patches for December 2018
Microsoft closes out 2018 with a relatively small release of 39 security patches and one advisory covering Internet Explorer (IE), Edge, ChackraCore, Microsoft Windows, Office and Microsoft Office Services and Web Apps, and the .NET Framework. Of these 39 CVEs, 9 are listed as Critical and 30 are rated Important in severity. A total of five of these CVEs came through the ZDI program. One of these bugs is listed as publicly known at the time of release and one of these is reported as being actively exploited.
Let’s take a closer look at some of the more interesting patches for this month, starting with the issue currently under active attack:
- CVE-2018-8611 – Win32k Elevation of Privilege Vulnerability
For the third month in a row, December has a Win32K (kernel-mode drivers) elevation of privilege vulnerability listed as currently under active attack. And, as was the case in previous months, this bug was reported by researchers at Kaspersky Labs, indicating this bug is being used in malware. Again, this is likely being used in targeted attacks in combination with other bugs.
- CVE-2018-8626 – Windows DNS Server Heap Overflow Vulnerability
This corrects a bug in the Windows DNS server that could allow an attacker to execute code in the context of the LocalSystem Account. While it doesn’t have permissions to everything, it has plenty. Exploiting this vulnerability is as easy as sending a specially crafted request to an affected DNS server. Since DNS servers are designed to handle requests, there’s no other real defense beyond applying the patch. If you’re running DNS servers in your enterprise, definitely prioritize this one.
- CVE-2018-8540 – .NET Framework Remote Code Injection Vulnerability
This patch addresses a Critical-rated RCE in the .NET Framework that could allow an attacker to take control of a system if they passed specific input to an application utilizing susceptible .NET methods. It’s not clear if .NET applications need to be recompiled after this patch is applied, but that’s often the case to be fully protected from input validation bugs.
- CVE-2018-8634 – Microsoft Text-To-Speech Remote Code Execution Vulnerability
This patch is interesting for a couple of different reasons. First, newer functionalities like text-to-speech have a somewhat unknown attack surface. This isn’t the first text-to-speech related bug – Android had one a few years ago – but it’s certainly not often seen. Secondly, Microsoft doesn’t state a sample exploit scenario, but since generating speech requires an HTTP POST request to the Speech service, it’s possible this could be remotely accessible if your application is network facing. Either way, if you employ text-to-speech, don’t overlook this patch.
Here’s the full list of CVEs released by Microsoft for December 2018.
| CVE | Title | Severity | Public | Exploited | XI - Latest | XI - Older | Type |
| CVE-2018-8611 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | Yes | 1 | 0 | EoP |
| CVE-2018-8517 | .NET Framework Denial Of Service Vulnerability | Important | Yes | No | 3 | 3 | DoS |
| CVE-2018-8540 | .NET Framework Remote Code Injection Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2018-8583 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
| CVE-2018-8617 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
| CVE-2018-8618 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
| CVE-2018-8624 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
| CVE-2018-8626 | Windows DNS Server Heap Overflow Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2018-8629 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
| CVE-2018-8631 | Internet Explorer Memory Corruption Vulnerability | Critical | No | No | 1 | 1 | RCE |
| CVE-2018-8634 | Microsoft Text-To-Speech Remote Code Execution Vulnerability | Critical | No | No | 1 | 1 | RCE |
| CVE-2018-8477 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 1 | 1 | Info |
| CVE-2018-8514 | Remote Procedure Call runtime Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2018-8580 | Microsoft SharePoint Information Disclosure Vulnerability | Important | No | No | 3 | 3 | Info |
| CVE-2018-8587 | Microsoft Outlook Remote Code Execution Vulnerability | Important | No | No | 1 | 1 | RCE |
| CVE-2018-8595 | Windows GDI Information Disclosure Vulnerability | Important | No | No | 1 | 1 | Info |
| CVE-2018-8596 | Windows GDI Information Disclosure Vulnerability | Important | No | No | 1 | 1 | Info |
| CVE-2018-8597 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 1 | 1 | RCE |
| CVE-2018-8598 | Microsoft Excel Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2018-8599 | Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
| CVE-2018-8604 | Microsoft Exchange Server Tampering Vulnerability | Important | No | No | 2 | 2 | Tampering |
| CVE-2018-8612 | Connected User Experiences and Telemetry Service Denial of Service Vulnerability | Important | No | No | 1 | 1 | DoS |
| CVE-2018-8619 | Internet Explorer Remote Code Execution Vulnerability | Important | No | No | 1 | 1 | RCE |
| CVE-2018-8621 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | N/A | 1 | Info |
| CVE-2018-8622 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | N/A | 1 | Info |
| CVE-2018-8625 | Windows VBScript Engine Remote Code Execution Vulnerability | Important | No | No | 1 | 1 | RCE |
| CVE-2018-8627 | Microsoft Excel Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2018-8628 | Microsoft PowerPoint Remote Code Execution Vulnerability | Important | No | No | 1 | 1 | RCE |
| CVE-2018-8635 | Microsoft SharePoint Server Elevation of Privilege Vulnerability | Important | No | No | 3 | 3 | EoP |
| CVE-2018-8636 | Microsoft Excel Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2018-8637 | Win32k Information Disclosure Vulnerability | Important | No | No | 1 | 1 | Info |
| CVE-2018-8638 | DirectX Information Disclosure Vulnerability | Important | No | No | 1 | 1 | Info |
| CVE-2018-8639 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
| CVE-2018-8641 | Win32k Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
| CVE-2018-8643 | Scripting Engine Memory Corruption Vulnerability | Important | No | No | 1 | 1 | RCE |
| CVE-2018-8649 | Windows Denial of Service Vulnerability | Important | No | No | N/A | N/A | DoS |
| CVE-2018-8650 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | N/A | N/A | XSS |
| CVE-2018-8651 | Microsoft Dynamics NAV Cross Site Scripting Vulnerability | Important | No | No | 2 | 2 | XSS |
| CVE-2018-8652 | Windows Azure Pack Cross Site Scripting Vulnerability | Important | No | No | N/A | N/A | XSS |
Although a smaller overall set of patches, browser-related bugs make up about 25% of the total release. This includes the VBScript bugs that act like browser bugs since they have the same exploit scenario (browse and own) as the web browsers. Interestingly, these are list as Important severity instead of Critical. According to Microsoft’s severity classification guide, client systems get Critical ratings for “Network Worms, or unavoidable common browsing/use scenarios where client is compromised without warnings or prompts.” Perhaps these Important-rated bugs pop some warning not clearly stated in the vulnerability description.
Another quarter of this release is related to the Office and Office SharePoint group of applications. The most interesting is likely the patch for Outlook due to the proliferation of phishing-related attacks (see above). Fortunately, the Preview Pane is not an attack vector for this bug. And, before you say “I’d never fall for that!” – imagine an attack that combined this with the bug from ZDI-18-1355 that allows you to impersonate any user. Suddenly, that spreadsheet labelled “executive_pay.xlsx” from $bossname becomes pretty tempting. Speaking of Exchange, there’s an additional Tampering bug in this month’s release, too. That sort of attack scenario shows how bugs that don’t directly lead to code execution can still be tremendously impactful.
This month also sees several patches for the kernel and kernel-mode drivers, including DirectX. ZDI research Fritz Sands recently blogged about kernel elevation through DirectX, which shows how broad this attack surface can be. Rounding out this month’s patches are a few more information disclosure and security feature bypass bugs in Windows components and a few cross-site scripting (XSS) bugs in Microsoft Dynamics, SharePoint, and Windows Azure Pack.
Finally, the only advisory for December is Microsoft’s version of the previously discussed Adobe patch for Flash in Internet Explorer.
Looking Ahead
The next patch Tuesday falls on January 8 of 2019, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!