Today’s VERT Alert addresses Microsoft’s December 2018 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-809 on Wednesday, December 12th.
In-The-Wild & Disclosed CVEs
CVE-2018-8611
Microsoft is reporting that this Windows kernel privilege escalation vulnerability is seeing active exploitation on older versions of Windows. Successful exploitation can allow an attacker to run code in kernel mode. This issue was resolved by changing how the Windows kernel handles objects in memory. Microsoft has rated this as a 1 on the Exploitability Index (Exploitation More Likely) on their latest Windows release, while active exploitation has been detected on older releases.
CVE-2018-8517
This vulnerability is a publicly disclosed issue with the .NET Framework that could allow an unauthenticated attacker to DoS a .NET Framework based web application by sending malformed web requests. Microsoft has rated this as a 3 on the Exploitability Index (Exploitation Unlikely).
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis.
Tag |
CVE Count |
CVEs |
Microsoft Dynamics |
1 |
CVE-2018-8651 |
Windows Kernel-Mode Drivers |
1 |
CVE-2018-8641 |
Microsoft Windows DNS |
2 |
CVE-2018-8514, CVE-2018-8626 |
Microsoft Windows |
1 |
CVE-2018-8649 |
Windows Azure Pack |
1 |
CVE-2018-8652 |
.NET Framework |
2 |
CVE-2018-8517, CVE-2018-8540 |
Microsoft Graphics Component |
4 |
CVE-2018-8595, CVE-2018-8596, CVE-2018-8638, CVE-2018-8639 |
Visual Studio |
1 |
CVE-2018-8599 |
Windows Kernel |
6 |
CVE-2018-8477, CVE-2018-8611, CVE-2018-8612, CVE-2018-8621, CVE-2018-8622, CVE-2018-8637 |
Windows Authentication Methods |
1 |
CVE-2018-8634 |
Internet Explorer |
2 |
CVE-2018-8619, CVE-2018-8631 |
Microsoft Exchange Server |
1 |
CVE-2018-8604 |
Microsoft Office |
6 |
CVE-2018-8587, CVE-2018-8597, CVE-2018-8598, CVE-2018-8627, CVE-2018-8628, CVE-2018-8636 |
Microsoft Scripting Engine |
7 |
CVE-2018-8583, CVE-2018-8617, CVE-2018-8618, CVE-2018-8624, CVE-2018-8625, CVE-2018-8629, CVE-2018-8643 |
Microsoft Office SharePoint |
2 |
CVE-2018-8580, CVE-2018-8635 |
Other Information
In addition to the Microsoft vulnerabilities included in the December Security Guidance, a pair of Adobe bulletins are available today.
December 2018 Adobe Flash Security Update [ADV180031]
Microsoft released updates for Adobe Flash. These correspond with Adobe Update APSB18-42. This includes fixes for CVE-2018-15982 and CVE-2018-15983.
Security Bulletin for Adobe Acrobat and Reader [APSB-41]
Adobe has released security updates for Adobe Acrobat and Reader. This includes fixes for 87 CVEs.
