Right on time, Microsoft has released its monthly Patch Tuesday fixes for the month of December. The set of patches, according to the official security update summary, cover a total of 39 vulnerabilities. There are, as is the case with any bulk patch release, certain vulnerabilities that are more dangerous than others and it is those that will be explored in more detail.
The zero-day vulnerability (CVE-2018-8611) is ranked as a 7 on the Common Vulnerability Scoring System scale. What makes this particular vulnerability so dangerous is the ease with which an attacker can execute code injections remotely. The vulnerability report by Microsoft explains it as follows:
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.
Other patches of note in this release include a fix for the vulnerability (CVE-2018-8517) that allows for a denial-of-service attack against the .NET Framework web application. The DoS attack can occur without any authentication of the attacker and with a remote access to the web application. The way that Microsoft patched the exploit was “correcting how the .NET Framework web application handles web requests.” While the fix is vague, as long as attackers can no longer send specially crafted packets to knock the .NET Framework offline is what matters.
There are far too many patches to go over in a mere news article, but suffice to say that anyone managing a network should take note of these fixes. Microsoft’s Windows 10 fixes are typically too important to ignore as the company’s products are arguably used in the most contexts (business or otherwise), and the vulnerabilities fixed in this month’s Microsoft Patch Tuesday are no exception. So what are you waiting for? Get to patching!