VERT Threat Alert: December 2018 Patch Tuesday Analysis

Today’s VERT Alert addresses Microsoft’s December 2018 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-809 on Wednesday, December 12th.In-The-Wild & Disclosed CVEsCVE-2018-8611Microsoft is reporting that this Windows kernel privilege escalation vulnerability is seeing active exploitation on older versions of Windows. Successful exploitation can allow an attacker to run code in kernel mode. This issue was resolved by changing how the Windows kernel handles objects in memory.Microsoft has rated this as a 1 on the Exploitability Index (Exploitation More Likely) on their latest Windows release, while active exploitation has been detected on older releases.CVE-2018-8517This vulnerability is a publicly disclosed issue with the .NET Framework that could allow an unauthenticated attacker to DoS a .NET Framework based web application by sending malformed web requests.Microsoft has rated this as a 3 on the Exploitability Index (Exploitation Unlikely).CVE Breakdown by TagWhile historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Other InformationIn addition to the Microsoft vulnerabilities included in the December Security Guidance, a pair of Adobe bulletins are available today.December 2018 Adobe Flash Security Update [ADV180031]Microsoft released updates for Adobe Flash. These correspond with Adobe Update APSB18-42. This includes fixes for CVE-2018-15982 and CVE-2018-15983.Security Bulletin for Adobe Acrobat and Reader [APSB-41]Adobe has released security updates for Adobe Acrobat and Reader. This includes fixes for 87 CVEs.

Microsoft December 2018 Patch Tuesday, (Tue, Dec 11th)

December 2018 Security Updates

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
.NET Framework Denial Of Service Vulnerability
CVE-2018-8517 Yes No Unlikely Unlikely Important    
.NET Framework Remote Code Injection Vulnerability
CVE-2018-8540 No No Less Likely Less Likely Critical    
Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2018-8583 No No Critical 4.2 3.8
CVE-2018-8617 No No Critical 4.2 3.8
CVE-2018-8618 No No Critical 4.2 3.8
CVE-2018-8624 No No Critical 4.2 3.8
CVE-2018-8629 No No Critical 4.2 3.8
Connected User Experiences and Telemetry Service Denial of Service Vulnerability
CVE-2018-8612 No No More Likely More Likely Important 4.7 4.7
December 2018 Adobe Flash Security Update
ADV180031 No No Critical    
Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability
CVE-2018-8599 No No More Likely More Likely Important 7.0 6.3
DirectX Information Disclosure Vulnerability
CVE-2018-8638 No No Important 4.7 4.2
Internet Explorer Memory Corruption Vulnerability
CVE-2018-8631 No No More Likely More Likely Critical 6.4 5.8
Internet Explorer Remote Code Execution Vulnerability
CVE-2018-8619 No No More Likely More Likely Important 6.4 5.8
Microsoft Dynamics NAV Cross Site Scripting Vulnerability
CVE-2018-8651 No No Less Likely Less Likely Important    
Microsoft Excel Information Disclosure Vulnerability
CVE-2018-8598 No No Less Likely Less Likely Important    
CVE-2018-8627 No No Less Likely Less Likely Important    
Microsoft Excel Remote Code Execution Vulnerability
CVE-2018-8597 No No More Likely More Likely Important    
CVE-2018-8636 No No Less Likely Less Likely Important    
Microsoft Exchange Server Tampering Vulnerability
CVE-2018-8604 No No Less Likely Less Likely Important    
Microsoft Outlook Remote Code Execution Vulnerability
CVE-2018-8587 No No More Likely More Likely Important    
Microsoft PowerPoint Remote Code Execution Vulnerability
CVE-2018-8628 No No More Likely More Likely Important    
Microsoft SharePoint Information Disclosure Vulnerability
CVE-2018-8580 No No Unlikely Unlikely Important    
Microsoft SharePoint Server Elevation of Privilege Vulnerability
CVE-2018-8635 No No Unlikely Unlikely Important    
Microsoft Text-To-Speech Remote Code Execution Vulnerability
CVE-2018-8634 No No More Likely More Likely Critical 4.2 3.8
Remote Procedure Call runtime Information Disclosure Vulnerability
CVE-2018-8514 No No Less Likely Less Likely Important 3.3 3.3
Scripting Engine Memory Corruption Vulnerability
CVE-2018-8643 No No More Likely More Likely Important 6.4 5.8
Win32k Elevation of Privilege Vulnerability
CVE-2018-8639 No No More Likely More Likely Important 7.0 6.3
CVE-2018-8641 No No More Likely More Likely Important 7.0 6.3
Win32k Information Disclosure Vulnerability
CVE-2018-8637 No No More Likely More Likely Important 4.7 4.2
Windows Azure Pack Cross Site Scripting Vulnerability
CVE-2018-8652 No No Important    
Windows DNS Server Heap Overflow Vulnerability
CVE-2018-8626 No No Less Likely Less Likely Critical 9.8 8.8
Windows Denial of Service Vulnerability
CVE-2018-8649 No No Important 5.0 4.5
Windows GDI Information Disclosure Vulnerability
CVE-2018-8595 No No More Likely More Likely Important 4.7 4.2
CVE-2018-8596 No No More Likely More Likely Important 4.7 4.2
Windows Kernel Elevation of Privilege Vulnerability
CVE-2018-8611 No Yes Detected More Likely Important 7.0 7.0
Windows Kernel Information Disclosure Vulnerability
CVE-2018-8477 No No More Likely More Likely Important 3.3 3.3
CVE-2018-8621 No No Important 4.7 4.1
CVE-2018-8622 No No Important 4.7 4.1
Windows VBScript Engine Remote Code Execution Vulnerability
CVE-2018-8625 No No More Likely More Likely Important 6.4 5.8

For a detailed breakdown please see Renato’s Dashboard: 

SAP Security Notes December ‘18: High Priority Missing Authorization Check Affecting SAP S/4HANA

Today, on SAP’s Security Patch Day, the company published 17 security notes, including a few that had been published during the month after the last Patch Day. Two notes tagged as Hot News and three tagged as High Priority excel over the rest, including a recurrent re-released note about Chromium (#2622660), a bug in SAP Hybris (#2711425) and a critical missing authorization check previously reported by the Onapsis Research Labs affecting most SAP users (#2698996). This last note affects not only SAP Netweaver ABAP systems, but also S/4HANA environments.

Facebook relaunches search ads to offset slowing revenue

It’s an ad duoply battle. Facebook is starting to test search ads in its search results and Marketplace, directly competing with Google’s AdWords. Facebook first tried Sponsored Results back in 2012 but eventually shut down the product in 2013. Now it’s going to let a small set of automotive, retail, and ecommerce industry advertisers show users ads on the search results page on mobile in the US and Canada.

Data scraping treasure trove found in the wild

We bring word of yet more data exposure, in the form of “nonsensitive” data scraping to the tune of 66m records across 3 large databases. The information was apparently scraped from various sources and left to gather dust, for anyone lucky enough to stumble upon it.

Netsparker Announces New Application & Websites Discovery Service

Today, we announce a new Netsparker feature, the Netsparker Radar – Application & Service Discovery Service. This feature can both discover and catalog the websites or web applications that your business has online, including those you may have forgotten. This will help you ensure that you have better security coverage for all your web applications, services, and other online collateral.