Microsoft Patch Tuesday for December squashes some nasty bugs

Right on time, Microsoft has released its monthly Patch Tuesday fixes for the month of December. The set of patches, according to the official security update summary, cover a total of 39 vulnerabilities. There are, as is the case with any bulk patch release, certain vulnerabilities that are more dangerous than others and it is those that will be explored in more detail.

The zero-day vulnerability (CVE-2018-8611) is ranked as a 7 on the Common Vulnerability Scoring System scale. What makes this particular vulnerability so dangerous is the ease with which an attacker can execute code injections remotely. The vulnerability report by Microsoft explains it as follows:

An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.

Other patches of note in this release include a fix for the vulnerability (CVE-2018-8517) that allows for a denial-of-service attack against the .NET Framework web application. The DoS attack can occur without any authentication of the attacker and with a remote access to the web application. The way that Microsoft patched the exploit was “correcting how the .NET Framework web application handles web requests.” While the fix is vague, as long as attackers can no longer send specially crafted packets to knock the .NET Framework offline is what matters.

There are far too many patches to go over in a mere news article, but suffice to say that anyone managing a network should take note of these fixes. Microsoft’s Windows 10 fixes are typically too important to ignore as the company’s products are arguably used in the most contexts (business or otherwise), and the vulnerabilities fixed in this month’s Microsoft Patch Tuesday are no exception. So what are you waiting for? Get to patching!

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

Review: Identity verification solution Specops Secure Service Desk

Specops Secure Service Desk is an innovative solution for positively identifying a user who calls…

13 hours ago

Apple Silicon: What it means for the world of personal computing

Apple is moving away from Intel processors to use its own Apple Silicon processors to…

16 hours ago

RAID 0 vs. RAID 1: When to use each level and why

Two of the most popular RAID levels for improving performance are RAID 0 and RAID…

19 hours ago

Got cybersecurity tools? Good. Got too many? That may be a problem

Strength in numbers may not apply to cybersecurity tools. In fact, using too many tools…

2 days ago

Getting started with System Center Operations Manager

System Center Operations Manager can monitor your IT resources, but the tool is only as…

2 days ago

Microsoft 365 administration: Creating DNS records for email security

Microsoft 365 administration has many facets, but none is more important than configuring email. Here’s…

2 days ago