Microsoft has issued patches for 12 critical vulnerabilities in November Patch Tuesday and has fixed a flaw that is being actively exploited by at least one threat group. In total, 64 vulnerabilities have been fixed across Windows, IE, Edge, and other Microsoft products.
The 12 critical vulnerabilities could allow hackers to execute malicious code and take full control of a vulnerable device. The majority of the critical vulnerabilities are in the Chakra Scripting Engine, which account for 8 of the 12 critical flaws.
CVE-2018-8541, CVE-2018-8542, CVE-2018-8543, CVE-2018-8551, CVE-2018-8555, CVE-2018-8556, CVE-2018-8557, and CVE-2018-8588, are all memory corruption vulnerabilities concerning how the Chakra Scripting Engine handles objects in the memory in Microsoft Edge. All eight vulnerabilities could be exploited if a user visits a specially crafted webpage using the Microsoft Edge browser. The vulnerabilities could also be exploited through malvertising.
The other critical vulnerabilities are listed below:
CVE-2018-8476 concerns how objects in the memory are handled by Windows Deployment Services TFTP Server. Exploitation of the vulnerability would allow a hacker to execute arbitrary code on a vulnerable server with elevated permissions.
CVE-2018-8544 concerns how objects in the memory are handled by Windows VBScript Engine. If exploited, an attacker could execute arbitrary code with the same level of privileges as the current user. If the user has administrative rights, an attacker could take full control of a vulnerable system. The vulnerability could be exploited via an embedded Active X control in a Microsoft Office file that hosts the IE rendering engine, via malvertising, or specially crafted webpages.
CVE-2018-8553 concerns how objects in the memory are handled by Microsoft Graphics Components. Exploitation of the vulnerability would require a user to open a specially crafted file, for instance, one sent in a phishing email.
CVE-2018-8609 is the failure of Microsoft Dynamics 365 (on-premises) version 8 to sanitize web requests to a Dynamics server. If exploited, an attacker could run arbitrary code in the context of an SQL service. The flaw could be exploited by sending a specially crafted request to an unpatched Dynamics server.
Microsoft also issued a patch for the actively exploited Windows Win32k Elevation of Privilege Vulnerability CVE-2018-8589. If exploited, an attacker could run arbitrary code in the security context of the local system. However, system access would first need to be gained before the flaw could be exploited.
Adobe has also issued patches this patch Tuesday for Flash Player, Acrobat, Reader, and Photoshop CC.