Microsoft Patches 12 Vital Weaknesses on November Patch Tuesday

November 16, 2018

 

Microsoft has released patches for 12 critical weaknesses in November Patch Tuesday and has repaired a fault that is being actively abused by at least one threat group. Altogether, 64 weaknesses have been repaired across Windows, Edge, IE, and other Microsoft products.

The 12 critical weaknesses might allow hackers to execute a malevolent code and take complete control of a weak appliance. The bulk of the critical weaknesses are in the Chakra Scripting Engine, which accounts for 8 of the 12 critical faults.

CVE-2018-8541, CVE-2018-8542, CVE-2018-8543, CVE-2018-8551, CVE-2018-8555, CVE-2018-8556, CVE-2018-8557, and CVE-2018-8588, are all memory corruption weaknesses regarding how the Chakra Scripting Engine manages things in the memory in Microsoft Edge. All eight weaknesses might be abused if a user visits a particularly created webpage using the Microsoft Edge browser. The weaknesses might also be abused through malvertising.

The other critical weaknesses are listed below:

CVE-2018-8476 relates how things in the memory are controlled by Windows Deployment Facilities TFTP Server. Abuse of the weakness would let a hacker execute random code on a weak server with higher approvals.

CVE-2018-8544 relates how things in the memory are controlled by Windows VBScript Engine. If abused, an attacker might execute random code with the same level of rights as the current user.  If the user has managerial rights, an attacker might take complete control of a weak system. The weakness might be abused through an embedded Active X control in a Microsoft Office file that hosts the IE rendering engine, through malvertising, or specifically created webpages.

CVE-2018-8553 relates how things in the memory are controlled by Microsoft Graphics Parts. Abuse of the weakness would need a user to open a specifically created file, for example, one sent in a phishing electronic mail.

CVE-2018-8609 is the failure of Microsoft Dynamics 365 (on-premises) variety 8 to clean web requests to a Dynamics server. If abused, an attacker might run random code in the setting of an SQL service. The fault might be abused by sending a specifically created request to an unpatched Dynamics server.

Microsoft also released a patch for the actively abused Windows Win32k Elevation of Privilege Weakness CVE-2018-8589. If abused, an attacker might run random code in the safety setting of the local system. Nevertheless, system access would first need to be gained before the fault could be abused.

Adobe has also released patches this patch Tuesday for Flash Player, Reader, Acrobat, and Photoshop CC.