Virtual Administrator’s December 2018 Patch Recommendations
This month Microsoft released patches for 39 vulnerabilities with 9 of them rated “Critical” and 30 “Important”
All December patches have been approved in our patch policy.
This month has a zero-day security flaw CVE-2018-8611 included in Monthly Rollup/Cumulative Update. Also a Microsoft Security Advisory for Adobe Flash (ADV180031) was posted on 12/05/2018. Overall this is a light month. Outside of the zero-day patches, CVE-2018-8517 is a .NET denial of service flaw that it publically known but not known to be exploited yet. There are remote code execution browser vulnerabilities in IE (CVE-2018-8631) and Edge (CVE-2018-8624). CVE-2018-8628 is flaw in all supported versions of PowerPoint. Two new Servicing Stack updates were added to the ADV990001 security advisory initially posted last month. The known issues listed below are the same ones from last month with the exception of a minor issue in KB4471324 where some users cannot pin a web link on the Start menu or the taskbar.
FYI per Microsoft: “Because of minimal operations during the holidays and upcoming Western new year, there won’t be any preview releases for the month of December 2018. Monthly servicing will resume with the January 2019 security releases.”
Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance
Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com
Affected software include:
- Adobe Flash Player
- Internet Explorer
- Microsoft Edge
- Microsoft Windows
- Microsoft Office and Microsoft Office Services and Web Apps
- ChakraCore
- .NET Framework
- Microsoft Dynamics NAV
- Microsoft Exchange Server
- Microsoft Visual Studio
- Windows Azure Pack (WAP)
Microsoft Security Advisories
ADV180031 | December 2018 Adobe Flash Security Update (Published: 12/05/2018)
https://support.microsoft.com/en-us/help/4471331/security-update-for-adobe-flash-player
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180031
This security update addresses the following vulnerabilities, which are described in Adobe Security Bulletin APSB18-42: CVE-2018-15982, CVE-2018-15983
https://helpx.adobe.com/security/products/flash-player/apsb18-42.html
ADV990001 | Latest Servicing Stack Updates (Published: 11/13/2018)
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001
This is a list of the latest servicing stack updates for each operating system. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
Known Issues: KB4471321, KB4471327, KB4471329, KB4471324, KB4471318
KB4471321 (Cumulative Update)
Applies to: Windows 10 version 1607, Windows Server 2016
https://support.microsoft.com/en-us/help/4471321/windows-10-update-kb4471321
Symptom: After you install the August Preview of Quality Rollup or September 11, 2018 .NET Framework update, instantiation of SqlConnection can throw an exception. For more information about this issue, see the following article in the Microsoft Knowledge Base:
4470809 SqlConnection instantiation exception on .NET 4.6 and later after August-September 2018 .NET Framework updates.
Workaround: None. Microsoft is working on a resolution and will provide an update in an upcoming release.
KB4471327 (Cumulative Update)
Applies to: Windows 10 version 1703
https://support.microsoft.com/en-us/help/4471327/windows-10-update-kb4471327
Symptom: After you install the August Preview of Quality Rollup or September 11, 2018 .NET Framework update, instantiation of SqlConnection can throw an exception. For more information about this issue, see the following article in the Microsoft Knowledge Base:
4470809 SqlConnection instantiation exception on .NET 4.6 and later after August-September 2018 .NET Framework updates.
Workaround: None. Microsoft is working on a resolution and will provide an update in an upcoming release.
KB4471329 (Cumulative Update)
Applies to: Windows 10 version 1709
https://support.microsoft.com/en-us/help/4471329/windows-10-update-kb4471329
Symptom: After you install the August Preview of Quality Rollup or September 11, 2018 .NET Framework update, instantiation of SqlConnection can throw an exception. For more information about this issue, see the following article in the Microsoft Knowledge Base:
4470809 SqlConnection instantiation exception on .NET 4.6 and later after August-September 2018 .NET Framework updates.
Workaround: None. Microsoft is working on a resolution and will provide an update in an upcoming release.
KB4471324 (Cumulative Update)
Applies to: Windows 10 version 1803
https://support.microsoft.com/en-us/help/4471324/windows-10-update-kb4471324
Symptom: After you install the August Preview of Quality Rollup or September 11, 2018 .NET Framework update, instantiation of SqlConnection can throw an exception. For more information about this issue, see the following article in the Microsoft Knowledge Base:
4470809 SqlConnection instantiation exception on .NET 4.6 and later after August-September 2018 .NET Framework updates.
Workaround: None. Microsoft is working on a resolution and will provide an update in an upcoming release.
Symptom: After installing this update, some users cannot pin a web link on the Start menu or the taskbar.
Workaround: None. Microsoft is working on a resolution and will provide an update in an upcoming release.
KB4471318 (Monthly Rollup)
Applies to: Windows 7 SP1, Windows Server 2008 R2 SP1
https://support.microsoft.com/en-us/help/4471318/windows-7-update-kb4471318
Symptom: After you apply this update, the network interface controller may stop working on some client software configurations. This occurs because of an issue related to a missing file, oem<number>.inf. The exact problematic configurations are currently unknown.
Workaround:
1)To locate the network device, launch devmgmt.msc. It may appear under Other Devices.
2)To automatically rediscover the NIC and install drivers, select Scan for Hardware Changes from the Action menu.
- Alternatively, install the drivers for the network device by right-clicking the device and choosing Update. Then choose Search automatically for updated driver software or Browse my computer for driver software.
Monthly Rollup/Security Only/Windows 10/Server 2016 KBs
Links are https://support.microsoft.com/en-us/help/####### with the KB number only.
Security and Quality Rollup
- KB4471318 – Windows 7, Windows Server 2008 R2
- KB4471320 – Windows 8.1, Windows Server 2012 R2
- KB4471330 – Windows Server 2012
- KB4471325 – Windows Server 2008
Security Only Update
- KB4471328 – Windows 7, Windows Server 2008 R2
- KB4471322 – Windows 8.1, Windows Server 2012 R2
- KB4471326 – Windows Server 2012
- KB4471319 – Windows Server 2008
Cumulative Update for Windows 10
- KB4471323 – Original release version 1507 (OS Build 10240)
- None – Version 1511 (OS Build 10586)
- KB4471321 – Version 1607 “Anniversary Update” (OS Build 14393)
- KB4471327 – Version 1703 “Creators Update” (OS Build 15063)
- KB4471329 – Version 1709 “Fall Creators Update” (OS Build 16299)
- KB4471324 – Version 1803 “Spring Creators Update” (OS Build 17134)
- KB4471332 – Version 1809 “October 2018 Update” (OS Build 17763)
Note: Server 2016 uses the same KB as Windows 10 Version 1607
KB4470199 – Cumulative Security Update for Internet Explorer 9/10/11
This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.
.NET Framework
Security and Quality Rollup (Security Only) for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2
- KB4471987 (KB4471981)- Windows 7, Windows Server 2008 R2
- KB4471989 (KB4471983)- Windows 8.1, Windows Server 2012 R2
- KB4471988 (KB4471982)- Windows Server 2012
- KB4471990 (KB4471984)- Windows Server 2008 (.NET Framework 2.0, 3.0, 4.5.2, 4.6)
KB4471331 – Security Update for Adobe Flash Player
December 2018 updates for Microsoft Office
https://support.microsoft.com/en-us/help/4477615/december2018updatesformicrosoftoffice
Notable CVEs
CVE-2018-8517 | .NET Framework Denial Of Service Vulnerability (Cumulative Update)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8517
A denial of service vulnerability exists when .NET Framework improperly handles special web requests.
An attacker who successfully exploited this vulnerability could cause a denial of service against an .NET Framework web application. The vulnerability can be exploited remotely, without authentication.
A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Framework application.
The update addresses the vulnerability by correcting how the .NET Framework web application handles web requests.
CVE-2018-8604 | Microsoft Exchange Server Tampering Vulnerability (KB4468741)
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8604
A tampering vulnerability exists when Microsoft Exchange Server fails to properly handle profile data. An attacker who successfully exploited this vulnerability could modify a targeted user’s profile data.
To exploit the vulnerability, an attacker would need to be authenticated on an affected Exchange Server. The attacker would then need to send a specially modified request to the server, targeting a specific user.
The security update addresses the vulnerability by modifying how Microsoft Exchange Server handles profile data.
CVE-2018-8611 | Windows Kernel Elevation of Privilege Vulnerability (Cumulative Update)
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8611
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.
The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
CVE-2018-8624 | Chakra Scripting Engine Memory Corruption Vulnerability (Cumulative Update)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8624
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.
The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory.
CVE-2018-8626 | Windows DNS Server Heap Overflow Vulnerability (Cumulative Update)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8626
A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.
To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.
The update addresses the vulnerability by modifying how Windows DNS servers handle requests.
CVE-2018-8628 | Microsoft PowerPoint Remote Code Execution Vulnerability (KB for each version)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8628
A remote code execution vulnerability exists in Microsoft PowerPoint software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office PowerPoint software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.
Note that the Preview Pane is not an attack vector for this vulnerability. The security update addresses the vulnerability by correcting how Microsoft PowerPoint handles objects in memory.
CVE-2018-8631 | Internet Explorer Memory Corruption Vulnerability (Cumulative Update)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8631
A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
An attacker could host a specially crafted website designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted content that could exploit the vulnerability. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.
The security update addresses the vulnerability by modifying how Internet Explorer handles objects in memory.