December 2018 Patch Tuesday has seen Microsoft issue patches for 39 vulnerabilities, 10 of which have been rated critical, and two are being actively exploited in the wild. There are 9 critical vulnerabilities in Microsoft products and one critical vulnerability in Adobe Flash Player.
The patches cover the following products and services: Microsoft Windows, Microsoft Office, Internet Explorer, Microsoft Edge, Microsoft Office SharePoint, Microsoft Graphics Component, Microsoft Exchange Server Microsoft Dynamics, Microsoft Scripting Engine, Microsoft Windows DNS, Visual Studio, Windows Authentication Methods, Windows Azure Pack, Windows Kernel, Windows Kernel-Mode Drivers, and .NET Framework.
December 2018 Patch Tuesday Critical Microsoft Vulnerabilities
The critical vulnerabilities affect the Chakra Scripting Engine of Microsoft Edge (5), .NET framework (1), Microsoft Text-to-Speech (1), Internet Explorer (1), and Windows DNS server (1).
- CVE-2018-8583; CVE-2018-8617; CVE-2018-8618; CVE-2018-8624; CVE-2018-8629: Chakra Scripting Engine: Memory corruption vulnerabilities due to how Microsoft Edge handles memory objects. Exploitation would require a user to visit a specially crafted website, through a link in a phishing email or malvertising, for example.
- CVE-2018-8540: .NET Framework: A remote code injection vulnerability when the .NET framework fails to validate input correctly. An attacker could gain full control of an affected system if an admin user’s account is compromised.
- CVE-2018-8626: Windows DNS Server: A heap overflow vulnerability affecting Windows servers configured as DNS servers, which could allow remote code execution on the Local System Account.
- CVE-2018-8631: Internet Explorer: A memory corruption vulnerability that could allow remote code execution. Exploitation would require a user to visit a specially crafted website, through a link in a phishing email, for example.
- CVE-2018-8634: Microsoft Text-to-Speech: Remote code execution vulnerability due to a failure to correctly handle objects in the memory. Flaw could be exploited to take full control of a vulnerable system.
- ADV180031: Adobe Flash Player: Adobe patched two vulnerabilities in an out-of-band update on December 5. Microsoft has addressed these vulnerabilities, which are currently being exploited in the wild.
Adobe Updates: December 2018 Patch Tuesday
Adobe has released a large number of updates to address a slew of recently discovered vulnerabilities. 87 updates and been included in total, 39 of which have been rated critical and could allow an attacker to execute arbitrary code or elevate privileges on vulnerable devices. Many of the vulnerabilities could be used together to give an attacker full control of a vulnerable computer.
These patches are in addition to an out-of-bounds update issued earlier in December to fix two actively exploited vulnerabilities.
All patches should be applied as soon as possible.