Microsoft Releases Critical Security Updates Addressing 39 Vulnerabilities
In a significant move this December, Microsoft has released security patches addressing a total of 39 vulnerabilities across its Windows operating systems and applications during its year-end Patch Tuesday. Among these, ten vulnerabilities have been designated as critical, emphasizing the potential severe consequences for affected systems.
Notably, one of the vulnerabilities patched this month has been publicly identified prior to the update, while another has been classified as a zero-day exploit, actively targeted by various hacking groups, including FruityArmor and SandCat APTs. The zero-day issue, discovered by researchers at Kaspersky, takes advantage of an elevation-of-privilege (EoP) vulnerability within the Windows Kernel (ntoskrnl.exe). This flaw could empower malicious software to execute arbitrary code at elevated privileges, posing a serious security risk to user systems.
The specific vulnerability, tracked as CVE-2018-8611, resides within the Kernel Transaction Manager, arising from improper management of transacted file operations in kernel mode. This weakness affects nearly all versions of the Windows operating system, spanning from Windows 7 to Server 2019. Kaspersky noted that this flaw successfully bypasses several up-to-date process mitigation policies, including the Win32k System call Filtering utilized in the Microsoft Edge Sandbox and the Win32k Lockdown Policy deployed within the Google Chrome Sandbox. Exploitation in conjunction with a compromised renderer process could also potentially lead to a full Remote Command Execution exploit chain in leading web browsers.
This month marks the third consecutive instance of Microsoft patching a zero-day vulnerability related to Win32K elevation of privilege issues. Additionally, another significant vulnerability tracked as CVE-2018-8517 has been addressed. This flaw, a denial-of-service issue affecting web applications built on the .NET Framework, results from improper handling of certain web requests. Although publicly disclosed, Microsoft reports that they have not found evidence of any active exploitation concerning this vulnerability.
In total, December’s security updates include ten critical and 29 important vulnerabilities, impacting a range of products such as Windows, Edge, Internet Explorer, ChakraCore, Office, and Microsoft Office Services and Web Apps. Moreover, Microsoft has included a critical security update for a newly disclosed zero-day flaw in Adobe Flash Player, which has also been confirmed as actively targeted by a state-sponsored cyber-espionage group.
IT professionals and system administrators are urged to apply these patches promptly to mitigate risks associated with these vulnerabilities. Quick action is crucial in safeguarding organizational systems from potential cyber threats. Users can install the latest security updates through the Windows Update feature found under Settings, or opt for manual installation.
As businesses navigate an increasingly complex cybersecurity landscape, staying informed about vulnerabilities and applying timely patches is paramount to maintaining secure systems. Experts recommend a proactive approach to cybersecurity, leveraging frameworks such as the MITRE ATT&CK Matrix to understand the potential tactics and techniques employed by adversaries. This incident illustrates the resilience of adversaries who may utilize methods ranging from initial access and privilege escalation to various techniques of persistence, emphasizing the need for comprehensive security measures in today’s digital environment.