The November 2018 Security Update Review

November 13, 2018 | Dustin Childs

November is here and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.

Adobe Patches for November 2018

For November, Adobe released patches covering Flash, Acrobat, and Photoshop. The Flash update corrects a single CVE that could allow an Out-Of-Bounds Read. The Important-severity bug could allow an information disclosure if exploited. The patch for Adobe Acrobat and Reader also correct a single info disclosure issue. Adobe notes the proof of concept code for this CVE has been made publicly available. Rounding things out, the Photoshop patch fixes a single Out-Of-Bounds read which could result in an information disclosure. This last bug was submitted through the ZDI program.

Microsoft Patches for November 2018

Microsoft released 63 security patches and three advisories covering Internet Explorer (IE), Edge, ChackraCore, Microsoft Windows, Microsoft Dynamics, Office and Microsoft Office Services and Web Apps, .NET Framework, and Skype for Business. Of these 63 CVEs, 12 are listed as Critical, 49 are rated Important, one is rated as Moderate, and one is rated Low in severity. A total of five of these CVEs came through the ZDI program. Two of these bugs are listed as publicly known at the time of release and one of these is reported as being actively exploited.

Let’s take a closer look at some of the more interesting patches for this month, starting with the issue currently under active attack:

-   CVE-2018-8589 – Win32k Elevation of Privilege Vulnerability
Just like last month, November has a Win32K (kernel-mode drivers) elevation of privilege vulnerability listed as currently under active attack. Also like last month, this bug was reported by researchers at Kaspersky Labs, indicating this bug is being used in malware. Again, this is likely being used in targeted attacks in combination with other bugs. Malware often uses kernel elevation bugs to go from user-mode to admin-mode, allowing them full control of a target system.

 -  CVE-2018-8450 – Windows Search Remote Code Execution Vulnerability
Local bugs are interesting, but I really like triggering things over the network. This patch corrects a problem in Windows Search that could allow a remote attacker to execute privileged code and take over a target system. There is a local component here, but Microsoft also states this could be done by an unauthenticated user via an SMB connection. Remotely triggering elevated code execution without authentication generally means wormable. Microsoft rates this as Important, but you should definitely treat it as Critical, especially since Microsoft also gives it the “Exploitation more likely” rating in its Exploit Index.

-  CVE-2018-8476 – Windows Deployment Services TFTP Server Remote Code Execution Vulnerability
This patch corrects a bug that could allow an attacker to execute code with elevated permissions through a specially crafted TFTP message. Getting elevated code execution over a network without authentication generally means wormable, but for this vulnerability, it would only be wormable to other affected TFTP servers. However, chances are your TFTP server also has other roles. Since this bug allows an attacker to take over a system, any other service – DNS, Active Directory, DHCP, etc. – could also be manipulated. If you’re running deployment services, don’t miss this patch.

-  CVE-2018-8566 – BitLocker Security Feature Bypass Vulnerability
The BitLocker encryption feature has had a rough month. First, it was shown that it could be bypassed due to bad SSD encryption. Microsoft released Advisory ADV180028 to address that problem. This patch corrects a vulnerability in the way BitLocker suspends device encryption. Someone with physical access could bypass encryption if they find a device in the correct, powered-off state. One of the primary reasons to roll out BitLocker is to prevent just this sort of scenario. If your enterprise uses BitLocker, definitely prioritize this update.

Here’s the full list of CVEs released by Microsoft for November 2018.

 CVE   Title   Severity   Public   Exploited   XI - Latest  XI - Older  Type
 CVE-2018-8589   Windows Win32k Elevation of Privilege Vulnerability   Important   No   Yes  1 0 EoP
 CVE-2018-8584   Windows ALPC Elevation of Privilege Vulnerability   Important   Yes   No  1 1 EoP
 CVE-2018-8566   BitLocker Security Feature Bypass Vulnerability   Important   Yes   No  2 2 SFB
 CVE-2018-8476   Windows Deployment Services TFTP Server Remote Code Execution Vulnerability   Critical   No   No  1 1 RCE
 CVE-2018-8553   Microsoft Graphics Components Remote Code Execution Vulnerability   Critical   No   No   N/A  1 RCE
 CVE-2018-8588   Chakra Scripting Engine Memory Corruption Vulnerability   Critical   No   No  1  N/A  RCE
 CVE-2018-8541   Chakra Scripting Engine Memory Corruption Vulnerability   Critical   No   No  1  N/A  RCE
 CVE-2018-8542   Chakra Scripting Engine Memory Corruption Vulnerability   Critical   No   No  1  N/A  RCE
 CVE-2018-8543   Chakra Scripting Engine Memory Corruption Vulnerability   Critical   No   No  1  N/A  RCE
 CVE-2018-8544   Windows VBScript Engine Remote Code Execution Vulnerability   Critical   No   No  1 1 RCE
 CVE-2018-8555   Chakra Scripting Engine Memory Corruption Vulnerability   Critical   No   No  1  N/A  RCE
 CVE-2018-8556   Chakra Scripting Engine Memory Corruption Vulnerability   Critical   No   No  1  N/A  RCE
 CVE-2018-8557   Chakra Scripting Engine Memory Corruption Vulnerability   Critical   No   No  1  N/A  RCE
 CVE-2018-8551   Chakra Scripting Engine Memory Corruption Vulnerability   Critical   No   No  1  N/A  RCE
CVE-2018-8609 Microsoft Dynamics 365 (on-premises) version 8 Remote Code Execution Vulnerability  Critical   No   No   N/A   N/A  RCE
CVE-2018-8600  Azure App Service Cross-site Scripting Vulnerability  Important   No   No   N/A   N/A  Spoof
CVE-2018-8602  Team Foundation Server Cross-site Scripting Vulnerability  Important   No   No   N/A   N/A  Spoof
CVE-2018-8605  Microsoft Dynamics 365 (on-premises) version 8 Cross Site Scripting Vulnerability   Important   No   No   N/A   N/A  Spoof
CVE-2018-8606  Microsoft Dynamics 365 (on-premises) version 8 Cross Site Scripting Vulnerability   Important   No   No   N/A   N/A  Spoof
CVE-2018-8607  Microsoft Dynamics 365 (on-premises) version 8 Cross Site Scripting Vulnerability   Important   No   No   N/A   N/A  Spoof
CVE-2018-8608  Microsoft Dynamics 365 (on-premises) version 8 Cross Site Scripting Vulnerability   Important   No   No   N/A   N/A  Spoof
 CVE-2018-8471   Microsoft RemoteFX Virtual GPU miniport driver Elevation of Privilege Vulnerability   Important   No   No  2 2 EoP
 CVE-2018-8485   DirectX Elevation of Privilege Vulnerability   Important   No   No  2 2 EoP
 CVE-2018-8554   DirectX Elevation of Privilege Vulnerability   Important   No   No  1 1 EoP
 CVE-2018-8561   DirectX Elevation of Privilege Vulnerability   Important   No   No  2 2 EoP
 CVE-2018-8562   Win32k Elevation of Privilege Vulnerability   Important   No   No  1 1 EoP
 CVE-2018-8572   Microsoft SharePoint Elevation of Privilege Vulnerability   Important   No   No  2 2 EoP
 CVE-2018-8581   Microsoft Exchange Server Elevation of Privilege Vulnerability   Important   No   No  2 2 EoP
 CVE-2018-8550   Windows COM Elevation of Privilege Vulnerability   Important   No   No  2 2 EoP
 CVE-2018-8552   Windows VBScript Engine Remote Code Execution Vulnerability   Important   No   No  1 1 EoP
 CVE-2018-8568   Microsoft SharePoint Elevation of Privilege Vulnerability   Important   No   No  2 2 EoP
 CVE-2018-8592   Windows Elevation Of Privilege Vulnerability   Important   No   No  2 2 EoP
 CVE-2018-8567   Microsoft Edge Elevation of Privilege Vulnerability   Important   No   No  1  N/A  EoP
 CVE-2018-8563   DirectX Information Disclosure Vulnerability   Important   No   No   N/A  1 Info
 CVE-2018-8407   MSRPC Information Disclosure Vulnerability   Important   No   No  2 2 Info
 CVE-2018-8454   Windows Audio Service Information Disclosure Vulnerability   Important   No   No  2 2 Info
 CVE-2018-8565   Win32k Information Disclosure Vulnerability   Important   No   No   N/A  1 Info
 CVE-2018-8558   Microsoft Outlook Information Disclosure Vulnerability   Important   No   No  2 2 Info
 CVE-2018-8408   Windows Kernel Information Disclosure Vulnerability   Important   No   No  1 1 Info
 CVE-2018-8545   Microsoft Edge Information Disclosure Vulnerability   Important   No   No  1  N/A  Info
 CVE-2018-8578   Microsoft SharePoint Information Disclosure Vulnerability   Important   No   No  3 3 Info
 CVE-2018-8579   Microsoft Outlook Information Disclosure Vulnerability   Important   No   No  2 2 Info
 CVE-2018-8256   PowerShell Remote Code Execution Vulnerability   Important   No   No  2 2 RCE
 CVE-2018-8522   Microsoft Outlook Remote Code Execution Vulnerability   Important   No   No  1 1 RCE
 CVE-2018-8576  Microsoft Outlook Remote Code Execution Vulnerability   Important   No   No  1 1 RCE
 CVE-2018-8524   Microsoft Outlook Remote Code Execution Vulnerability   Important   No   No  2 2 RCE
 CVE-2018-8539   Microsoft Word Remote Code Execution Vulnerability   Important   No   No   N/A  1 RCE
 CVE-2018-8573   Microsoft Word Remote Code Execution Vulnerability   Important   No   No  1 1 RCE
 CVE-2018-8574   Microsoft Excel Remote Code Execution Vulnerability   Important   No   No  1 1 RCE
 CVE-2018-8575   Microsoft Project Remote Code Execution Vulnerability   Important   No   No  2 2 RCE
 CVE-2018-8582   Microsoft Outlook Remote Code Execution Vulnerability   Important   No   No   N/A  1 RCE
 CVE-2018-8450   Windows Search Remote Code Execution Vulnerability   Important   No   No  1 1 RCE
 CVE-2018-8577   Microsoft Excel Remote Code Execution Vulnerability   Important   No   No  1 1 RCE
 CVE-2018-8570   Internet Explorer Memory Corruption Vulnerability   Important   No   No   N/A  2 RCE
 CVE-2018-8417   Microsoft JScript Security Feature Bypass Vulnerability   Important   No   No  1 1 SFB
 CVE-2018-8549   Windows Security Feature Bypass Vulnerability   Important   No   No  2 2 SFB
 CVE-2018-8564   Microsoft Edge Spoofing Vulnerability   Important   No   No  1  N/A  Spoof
 CVE-2018-8547   Active Directory Federation Services XSS Vulnerability   Important   No   No  2 2 Spoof
CVE-2018-8529  Team Foundation Server Remote Code Execution Vulnerability  Important   No   No   N/A   N/A  RCE
 CVE-2018-8569  Yammer Desktop Application Remote Code Execution Vulnerability  Important   No   No   N/A   N/A  RCE
 CVE-2018-8415   Microsoft Powershell Tampering Vulnerability   Important   No   No  2 2 Tampering
 CVE-2018-8416   .NET Core Tampering Vulnerability   Moderate   No   No  2 2 Tampering
 CVE-2018-8546   Microsoft Skype for Business Denial of Service Vulnerability   Low   No   No  3 3 DoS

This month sees fewer browser-related patches than previous months, but there are still plenty of browser bugs to cover. There’s also a patch for VBScript that acts like a browser bug since it has the same exploit scenario (browse and own) as the web browsers. This one could also embed an ActiveX controls marked “safe for initialization” in an Office document and trick a user into opening it.

Remote code execution (RCE) bugs dominate this month’s release, with 24 patches for RCE bugs. Many of the RCE bugs corrected this month reside in the Office suite. Word, Excel, Project, SharePoint, and Outlook all receive patches in this release. The Outlook bugs are somewhat interesting, but none can be hit through the Preview Pane. Having an attacker rely on user interaction means defenders have to rely on user education, which is sometimes a risky bet.

Tampering is rarely seen impact, but there are two CVEs this month covering tampering vulns. The first is in .NET Core and could allow attackers to write arbitrary files on a system by sending specially crafted file to an affected system. However, attackers only have limited control over the destination for files. The other tampering bug affects PowerShell and could allow local attackers to execute unlogged code. There’s also a PowerShell RCE bug being patched. In this case, an attacker would need to send a specially crafted file to a target system.

There are also updates for the Windows graphics components, DirectX, Windows kernel, the COM Aggregate Marshaler, and Advanced Local Procedure Calls (ALPC). One of the graphics-related vulnerabilities could allow code execution when viewing a specially crafted image. One of the more esoteric Windows patches corrects an elevation of privilege that could occur if you installed certain builds of Windows from media for Windows 10, version 1809 and an attacker had physical access to the target. That’s a pretty specific attack scenario. 

Microsoft Dynamics also receives a fair amount of attention this month, with multiple patches delivering fixes for Microsoft Dynamics 365 (on-premises) version 8. The majority of these patches correct cross-site scripting (XSS) issues. There is also a patch for an RCE in Dynamics that could allow an attacker to execute code at the level of the SQL service account. While this won’t allow someone to completely take over a system, it does allows them to really mess with the information in a database.

Rounding out the November release is a patch for Microsoft Exchange to address an elevation of privilege bug. An attacker could use command injection to impersonate any other user on the Exchange Server. It would require a man-in-the-middle to be successful, but just imagine the hi-jinx that would ensue from sending out spoofed mail. Fortunately for Exchange admins, this bug can be rendered unexploitable just through the deletion of a registry key. That’s much less nerve wracking than a typical Exchange patch.

Finally, there are a few advisories to cover this month, as well. The aforementioned ADV180028, was released earlier on November 6, but it should not be ignored for those running BitLocker. ADV990001 provide a list of the latest servicing stack updates for each operating system. The final advisory for November is Microsoft’s version of the previously discussed Adobe patch for Flash in Internet Explorer.

Looking Ahead

The next patch Tuesday falls on December 11, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!