December, 2018: Patch Tuesday: Flash and Windows Kernal Vulnerabilities Exploited

Welcome to this December Patch Tuesday Bulletin. This month we have 39 unique MS related CVE’s, an Adobe Flash Update, and 2 exploited vulnerabilities. This month there are 2 vulnerabilities, CVE-2018-8611 and CVE-2018-15982, being attacked in the wild. CVE-2018-8611 is a Windows kernel elevation of privilege vulnerability that can be exploited by running a malicious application. CVE-2018-15982 is an Arbitrary Code Execution vulnerability in Flash Player. Microsoft also released a security advisory for inadvertently disclosed certificates by the Sennheiser HeadSetup and HeadSetup Pro. If this software is present in the environment then updates are required. The good news is that there were no known attacks to either browser platforms and the quantity of unique CVE’s is a lot lower than previous months. Review Flash, Windows, and Office applications this month and make sure that patches are being applied appropriately.

Over the years we've had millions of visitors to UltimateWindowsSecurity.com. Every month we have thousands and thousands of visitors to our Security Log Encyclopedia which documents all of the Security Log event ID’s for Windows Server OS’s. Back in 2007 when SharePoint added auditing capability, I realized that my audience not only needed the event information from SharePoint but I also found a similar need in SQL Server and Exchange. So not only did I document the data but I also started to develop the means to extract that event data from these applications so that it’s accessible and useable to the end user. Some 8 years later and LOGbinder is continuing to grow as companies realize LOGbinder bridges the gap between these applications and their infosec team. Visit LOGbinder.com to download a free 30-day fully functional trial and see the security event data that you have literally been missing.

Patch data provided by:

Technology

Products Affected

Severity

Reference

Workaround/ Exploited

Vulnerability Info

Adobe Flash Player

31.0.0.153 and earlier

Critical

ADV180031**

ADV180030

*Workaround: No

**Exploited: Yes

***Public: No

Remote Code Execution

Internet Explorer

IE 9, 10, 11

Critical

CVE-2018-8619

CVE-2018-8625

CVE-2018-8631

CVE-2018-8643

*Workaround: No

**Exploited: No

***Public: No

Remote Code Execution

Edge

All

Critical

CVE-2018-8583

CVE-2018-8617

CVE-2018-8618

CVE-2018-8624

CVE-2018-8629

*Workaround: No

**Exploited: No

***Public: No

Remote Code Execution

Windows

Windows 7, 8.1, 8.1 RT, 10

Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019

Critical

CVE-2018-8477

CVE-2018-8514

CVE-2018-8595

CVE-2018-8596

CVE-2018-8599

CVE-2018-8611**

CVE-2018-8612

CVE-2018-8621

CVE-2018-8622

CVE-2018-8626

CVE-2018-8634

CVE-2018-8637

CVE-2018-8638

CVE-2018-8639

CVE-2018-8641

CVE-2018-8649

CVE-2018-8652

ADV180029

*Workaround: No

**Exploited: Yes

***Public: No

Information Disclosure

Elevation of Privilege

Denial of Service

Remote Code Execution

Spoofing

Office, Office Services, and Web Apps

Excel 2010, 2013, 2016

Office 2010, 2016 for Mac, 2019, 2019 for Mac, Web Apps 2010, Web Apps 2013

Outlook 2010, 2013, 2016

PowerPoint 2010, 2013, 2016

SharePoint Enterprise Server 2013, 2016

SharePoint Server 2010, 2013, 2019

Office 365 ProPlus

Important

CVE-2018-8580

CVE-2018-8587

CVE-2018-8597

CVE-2018-8598

CVE-2018-8627

CVE-2018-8628

CVE-2018-8635

CVE-2018-8636

CVE-2018-8650

 

*Workaround: No

**Exploited: No

***Public: No

Information Disclosure

Remote Code Execution

Elevation of Privilege

Spoofing

 

ChakraCore

All

Critical

CVE-2018-8583

CVE-2018-8617

CVE-2018-8618

CVE-2018-8624

CVE-2018-8629

*Workaround: No

**Exploited: No

***Public: No

Remote Code Execution

.NET Framework

.NET 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2

Critical

CVE-2018-8517

CVE-2018-8540

*Workaround: No

**Exploited: No

***Public: Yes

Denial of Service

Remote Code Execution

Dynamics NAV

Nav 2016, 2017

Important

CVE-2018-8651

*Workaround: No

**Exploited: No

***Public: No

Spoofing

Exchange Server

Server 2016

Important

CVE-2018-8604

*Workaround: No

**Exploited: No

***Public: No

Tampering

Visual Studio

Visual Studio 2015, 2017

Important

CVE-2018-8599

*Workaround: No

**Exploited: No

***Public: No

Elevation of Privilege

Azure Pack (WAP)

Azure Pack Rollup 13.1

Important

CVE-2018-8652

*Workaround: No

**Exploited: No

***Public: No

Remote Code Execution


Send me this chart next Patch Tuesday.
Email:

We will not share your address. Unsubscribe anytime. By clicking "Submit",
you're agreeing to our Privacy Policy and consenting to be contacted by us.