126 vulnerabilities patched in Microsoft and Adobe this December 2018

Multiple update patches are coming

Sysadmins will work overtime over the next holidays. According to digital forensics specialists from the International Institute of Cyber Security, the next update patch set to be launched by Microsoft includes fixes for nine critical vulnerabilities, including the repair of zero-day vulnerability.

In addition to the 39 errors reported by Microsoft, admins should keep in the expectation of the release of update patches for the 87 bugs reported by Adobe. The most relevant one (CVE-2018-8611) is a privilege escalation error that affects all supported operating systems from Windows 7 to Server 2019. This vulnerability would allow a malicious actor to execute arbitrary code in kernel mode.

“Before exploiting this vulnerability, the potential attacker would have to log into the system. The attacker could run a specially crafted application to take control of the compromised system,” mentioned experts in digital forensics.

A Microsoft security announcement adds: “An attacker who successfully exploited this vulnerability could execute arbitrary code in kernel mode to install programs, view, change, or delete data or create new accounts with all user privileges.” Another outstanding error is CVE-2018-8517, a bug useful to generate DDoS conditions in web applications.

“The vulnerability could be exploited remotely and without authentication by issuing a specially designed application for the vulnerable application”, said Chris Goettl, an expert in information security and digital forensics.

“Exploiting this vulnerability is considered too complex, however, having been publicly disclosed, there could be enough information available for a malicious actor to devise an easier way to exploit the flaw”, the expert mentions.

Allan Liska, a cybersecurity specialist, highlights that among the vulnerabilities to be corrected soon is an overflow bug on the Microsoft DNS server (CVE-2018-8626), as well as multiple critical errors in the scripting engine Microsoft Edge Chakra Core.

“It’s already fifteen consecutive months in which Microsoft reports vulnerabilities in the Chakra script engine. The last time Microsoft left intact the scripting engine Chakra was in September 2017,” said Liska.

This time, Chakra has two memory corruption vulnerabilities (CVE-2018-8583 and CVE-2018-8629) that would allow a hacker to execute arbitrary code in the victim’s system.

Experts also recommended companies that work with Adobe to install update patches as soon as possible, especially those addressing vulnerabilities CVE-2018-15982 and CVE-2018-15983, two zero-day bugs in Adobe Flash that have already been exploited in the wild.