This November, Microsoft released monthly security patches covering total 63 vulnerabilities, with 12 of them rated critical, 47 are rated Important, one is rated Moderate and three are Low in Severity. These vulnerabilities impact Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office, and Microsoft Office Services and Web Apps, ChakraCore, .NET Core, Skype for Business, Azure App Service on Azure Stack, Team Foundation Server, Microsoft Dynamics 365 (on-premises), PowerShell Core, Microsoft.PowerShell.Archive. Among all vulnerabilities, one (CVE-2018-8589) is being actively exploited and two (CVE-2018-8584, CVE-2018-8566) are listed as publicly known vulnerability at the time of release.
Zero-day Vulnerability In-the-wild
CVE-2018-8589: Similar to last month this month also Windows Win32k Elevation of Privilege Vulnerability under attack. This vulnerability was reported by Kaspersky Labs indicating attackers are using this vulnerability in a malware, which exploits this vulnerability to elevate privilege to take full control of an affected system.
As per Kaspersky Labs,
In October 2018, our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in Microsoft’s Windows operating system. Further analysis revealed a zero-day vulnerability in win32k.sys. The exploit was executed by the first stage of a malware installer in order to gain the necessary privileges for persistence on the victim’s system. So far, we have detected a very limited number of attacks using this vulnerability. The victims are located in the Middle East.
1) CVE-2018-8584: An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). To exploit this vulnerability, an attacker would first have to log on to the system and then run a specially crafted application that could exploit the vulnerability and take control over an affected system. To handle this vulnerability Microsoft released an update which addresses the vulnerability by correcting how Windows handles calls to ALPC.
2) CVE-2018-8566: A security feature bypass vulnerability exists, when Windows improperly suspends BitLocker Device Encryption. An attacker needs physical access to the affected system to exploit this vulnerability, an attacker needs to power off the system and exploit the vulnerability to gain access to encrypted data. Microsoft fixes the vulnerability by ensuring Windows resumes BitLocker Device Encryption.
Few other critical vulnerabilities
1) CVE-2018-8476: A remote code execution vulnerability exists in the way that Windows Deployment Services TFTP Server handles objects in memory. To exploit the vulnerability, an attacker could create a specially crafted TFTP message, causing Windows to execute arbitrary code with elevated permissions. Microsoft handles this vulnerability by correcting how Windows Deployment Services TFTP Server handles objects in memory.
2) CVE-2018-8450: A remote code execution vulnerability exists when Windows Search handles objects in memory. To exploit the vulnerability, the attacker could send specially crafted messages to the Windows Search service. An attacker with access to a target computer could exploit this vulnerability to elevate privileges and take control of the computer. Additionally, in an enterprise scenario, a remote authenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer. Microsoft handles this vulnerability by correcting how Windows Search handles objects in memory. This vulnerability can be exploited over the network through an SMB connection, hence should be patched at the earliest.
November 2018 patch Tuesday release consists of security updates for the following products:
- .NET Core
- Azure App Service on Azure Stack
- Internet Explorer
- Microsoft Dynamics 365 (on-premises)
- Microsoft Edge
- Microsoft Office and Microsoft Office Services and Web Apps
- Microsoft Windows
- PowerShell Core
- Skype for Business
- Team Foundation Server
Microsoft security bulletin summary for November 2018:
Product: Internet Explorer
Impact: Information Disclosure, Remote Code Execution
KB’s: 4467701, 4466536, 4467107, 4467697, 4467691, 4467680, 4467696, 4467686, 4467702, 4467708, 4467706
CVE’s/Advisory: CVE-2018-8552, CVE-2018-8570
Product: Microsoft Dynamics 365 (on-premises)
Impact: Remote Code Execution, Spoofing
CVE’s/Advisory: CVE-2018-8605, CVE-2018-8606, CVE-2018-8607, CVE-2018-8608, CVE-2018-8609
Product: Microsoft Edge
Impact: Remote Code Execution, Information Disclosure, Spoofing, Elevation of Privilege
KB’s: 4467702, 4467708, 4467691, 4467696, 4467680, 4467686
CVE’s/Advisory: CVE-2018-8541, CVE-2018-8542, CVE-2018-8543, CVE-2018-8545, CVE-2018-8551, CVE-2018-8555, CVE-2018-8556, CVE-2018-8557, CVE-2018-8564, CVE-2018-8567, CVE-2018-8588
Impact: Remote Code Execution
Release Notes: 1113
CVE’s/Advisory: CVE-2018-8541, CVE-2018-8542, CVE-2018-8543, CVE-2018-8551, CVE-2018-8555, CVE-2018-8556, CVE-2018-8557, CVE-2018-8588
Product: Team Foundation Server
Impact: Remote Code Execution, Spoofing
KB’s: tfs2017-update3, tfs2018-update1, tfs2018-update3
CVE’s/Advisory: CVE-2018-8602, CVE-2018-8529, CVE-2018-8602
Product: Microsoft Exchange Server
Impact: Elevation of Privilege
Product: Microsoft Office
Impact: Remote Code Execution, Denial of Service, Information Disclosure, Elevation of Privilege
KB’s: 4011190, 4461530, 4461488, 4461503, 4461519, 4461487, 3114565, 4461524, 4032218, 4022237, 4022232, 4461518, 4461527, 4092473, 4461529, 4461486, 4461506, 4022147, 4461478, 4461489, 4461483, 4461501, 4461511, 4461520, 4461513, 4461526, 4461485, 4461504, 4461473
CVE’s/Advisory: CVE-2018-8577, CVE-2018-8577, CVE-2018-8574, CVE-2018-8546, CVE-2018-8539, CVE-2018-8573, CVE-2018-8522, CVE-2018-8524, CVE-2018-8558, CVE-2018-8576, CVE-2018-8579, CVE-2018-8582, CVE-2018-8575, CVE-2018-8568, CVE-2018-8578, CVE-2018-8572
Product: Microsoft Windows
Impact: Remote Code Execution, Information Disclosure, Tampering, Defense in Depth, Security Feature Bypass, Elevation of Privilege, Spoofing
KB’s: 4467680, 4093430, 4467691, 4465659, 4467696, 4465660, 4467686, 4465661, 4467702, 4465663, 4467708, 4465664, 4467107, 4467106, 3177467, 4467697, 4467703, 3173424, 4467706, 4467700, 3020369, 4467701, 4467678, 3173426
CVE’s/Advisory: CVE-2018-8407, CVE-2018-8408, CVE-2018-8415, ADV990001, CVE-2018-8256, CVE-2018-8417, CVE-2018-8450, CVE-2018-8471, CVE-2018-8485, CVE-2018-8544, CVE-2018-8549, CVE-2018-8550, CVE-2018-8553, CVE-2018-8561, CVE-2018-8562, CVE-2018-8565, CVE-2018-8584, CVE-2018-8407, CVE-2018-8547, CVE-2018-8566, CVE-2018-8454, CVE-2018-8554, CVE-2018-8592, CVE-2018-8563, CVE-2018-8589, CVE-2018-8476