Microsoft and Adobe Patch Zero-Day Vulnerabilities
Microsoft and Adobe Systems released their monthly scheduled security updates Nov. 14, both companies fixing some vulnerabilities that were known publicly before being patched.
Microsoft fixed 62 vulnerabilities across its product portfolio, 12 of which are rated critical. Furthermore, 10 of those critical flaws can be exploited by opening malicious web pages or files.
“Browser and Scripting Engine patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser,” said Jimmy Graham, director of product management at Qualys, in a blog post. “This includes multi-user servers that are used as remote desktops for users.”
The patch for a privilege escalation flaw tracked as CVE-2018-8589 should also be prioritized, even though the vulnerability is not rated critical. That’s because attackers already know about it and have been exploiting it since last month, according to researchers from Kaspersky Lab.
The vulnerability is located in the Windows Win32k component and can be exploited by malware that’s already running on a machine to take full control over the system.
“The exploit was executed by the first stage of a malware installer in order to gain the necessary privileges for persistence on the victim’s system,” the Kaspersky Lab researchers said in a blog post. “So far, we have detected a very limited number of attacks using this vulnerability. The victims are located in the Middle East.”
This month, Microsoft also patched a second privilege escalation flaw in the Windows Data Sharing Service (dssvc.dll) that was disclosed by a security researcher on Twitter in October.
Windows administrators in enterprise environments should also prioritize the patch for CVE-2018-8476, a remote code execution vulnerability in the TFTP Server used by the Windows Deployment Services (WDS). Attackers can exploit this vulnerability to execute arbitrary code with elevated permissions on target machines by sending specially crafted requests.
Enterprises that run Microsoft Dynamics 365 version 8 on-premises should install the patches available for it, especially for CVE-2018-8609, a vulnerability that could allow attackers to run arbitrary code in the context of the SQL service account.
Microsoft also patched a vulnerability in its BitLocker full-disk encryption technology that could allow an attacker with access to a powered-off system to gain access to encrypted data. The issue is caused by the way Windows suspends the drive encryption.
Adobe Systems, meanwhile, released security updates for its Flash Player, Reader, Acrobat and Photoshop products. None of the patched flaws are rated critical, but can result information disclosure.
The vulnerability fixed in Reader and Acrobat, tracked as CVE-2018-15979, can be used to trick Reader and Acrobat to leak the user’s hashed Windows NTLM password to an external resource. NTLM is an authentication protocol used on Windows networks.
This vulnerability is not new and a proof-of-concept exploit already exists for it. It can also be mitigated by using a security mechanism introduced by Microsoft in Windows 10 and Server 2016 that prevents NTLM SSO authentication with resources that are not marked as internal by the Windows Firewall.
Furthermore, enabling the Protected View feature in Acrobat DC and Reader DC can also prevent exploitation of this vulnerability through PDF files.
The vulnerabilities in Flash Player and Photoshop CC, CVE-2018-15978 and CVE-2018-15980 respectively, are caused by out-of-bounds reads and can leak memory locations. Information disclosure flaws such as these can be used together with arbitrary code execution flaws to create exploit chains that bypass anti-exploit protections.
