Posted: 23 Min Read Threat Intelligence

Microsoft Patch Tuesday – November 2018

This month the vendor has patched 62 vulnerabilities, 13 of which are rated Critical.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

 

Microsoft's summary of the November 2018 releases can be found here:
https://portal.msrc.microsoft.com/en-us/security-guidance

 

This month's update covers vulnerabilities in:

  • Internet Explorer
  • Microsoft Edge
  • ChakraCore
  • Microsoft Office
  • Microsoft .NET Core
  • Microsoft Windows
  • Microsoft Skype
  • Azure App Service
  • Team Foundation Server
  • Dynamics 365 (on-premises)

 

The following is a breakdown of the issues being addressed this month:

  1. Cumulative Security Update for Microsoft Browsers

    Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8541) MS Rating: Critical

    A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. An attacker can exploit this issue to execute arbitrary code in the context of the current user. Successful exploitation of this vulnerability would allow an attacker to gain the same user rights as the current user.

     

    Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8542) MS Rating: Critical

    A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. An attacker can exploit this issue to execute arbitrary code in the context of the current user. Successful exploitation of this vulnerability would allow an attacker to gain the same user rights as the current user.

     

    Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8543) MS Rating: Critical

    A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. An attacker can exploit this issue to execute arbitrary code in the context of the current user. Successful exploitation of this vulnerability would allow an attacker to gain the same user rights as the current user.

     

    Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8551) MS Rating: Critical

    A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. An attacker can exploit this issue to execute arbitrary code in the context of the current user. Successful exploitation of this vulnerability would allow an attacker to gain the same user rights as the current user.

     

    Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8555) MS Rating: Critical

    A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. An attacker can exploit this issue to execute arbitrary code in the context of the current user. Successful exploitation of this vulnerability would allow an attacker to gain the same user rights as the current user.

     

    Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8556) MS Rating: Critical

    A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. An attacker can exploit this issue to execute arbitrary code in the context of the current user. Successful exploitation of this vulnerability would allow an attacker to gain the same user rights as the current user.

     

    Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8557) MS Rating: Critical

    A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. An attacker can exploit this issue to execute arbitrary code in the context of the current user. Successful exploitation of this vulnerability would allow an attacker to gain the same user rights as the current user.

     

    Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8588) MS Rating: Critical

    A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. An attacker can exploit this issue to execute arbitrary code in the context of the current user. Successful exploitation of this vulnerability would allow an attacker to gain the same user rights as the current user.

     

    Internet Explorer Memory Corruption Vulnerability (CVE-2018-8570) MS Rating: Important

    A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. An attacker can exploit this issue to execute arbitrary code in the context of the current user. Successful exploitation of this vulnerability would allow an attacker to gain the same user rights as the current user.

     

    Microsoft Edge Privilege Escalation Vulnerability (CVE-2018-8567) MS Rating: Important

    A privilege escalation vulnerability exists when Microsoft Edge does not properly enforce cross-domain policies. An attacker can exploit this issue to access information from one domain and inject it into another domain.

     

    Microsoft Edge Spoofing Vulnerability (CVE-2018-8564) MS Rating: Important

    A spoofing vulnerability exists when Microsoft Edge improperly handles specific HTML content. An attacker can exploit this issue to trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.

     

    Microsoft Edge Information Disclosure Vulnerability (CVE-2018-8545) MS Rating: Important

    An information disclosure vulnerability exists in the way that Microsoft Edge handles cross-origin requests. An attacker can exploit this issue to determine the origin of all webpages in the affected browser.

     

    Windows Scripting Engine Memory Corruption Vulnerability (CVE-2018-8552) MS Rating: Important

    An information disclosure vulnerability exists when VBScript improperly discloses the contents of its memory. An attacker can exploit this issue to further compromise the user’s computer or data. To exploit the vulnerability, an attacker must know the memory address of where the object was created.

     

    Windows VBScript Engine Remote Code Execution Vulnerability (CVE-2018-8544) MS Rating: Critical

    A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. An attacker can exploit this issue to execute arbitrary code in the context of the current user. Successful exploitation of this vulnerability would allow an attacker to gain the same user rights as the current user.

     

  2. Cumulative Security Update for Microsoft Office

    Microsoft Outlook Remote Code Execution Vulnerability (CVE-2018-8522) MS Rating: Important

    A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory. An attacker can exploit this issue to use a specially crafted file to perform actions in the security context of the current user. Successful exploitation of this vulnerability would allow an attacker to gain the same user rights as the current user. To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Outlook software.

     

    Microsoft Outlook Remote Code Execution Vulnerability (CVE-2018-8576) MS Rating: Important

    A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory. An attacker can exploit this issue to use a specially crafted file to perform actions in the security context of the current user. Successful exploitation of this vulnerability would allow an attacker to gain the same user rights as the current user. To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Outlook software.

     

    Microsoft Outlook Remote Code Execution Vulnerability (CVE-2018-8524) MS Rating: Important

    A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory. An attacker can exploit this issue to use a specially crafted file to perform actions in the security context of the current user. Successful exploitation of this vulnerability would allow an attacker to gain the same user rights as the current user. To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Outlook software.

     

    Microsoft Outlook Remote Code Execution Vulnerability (CVE-2018-8582) MS Rating: Important

    A remote code execution vulnerability exists in the way that Microsoft Outlook parses specially modified rule export files. An attacker can exploit this issue to take control of an affected system.

     

    Microsoft Outlook Information Disclosure Vulnerability (CVE-2018-8558) MS Rating: Important

    An information disclosure vulnerability exists when Microsoft Outlook fails to respect 'Default link type' settings configured through the SharePoint Online Admin Center. An attacker can exploit this issue to share anonymously-accessible links to other users via email where these links are intended to be accessed only by specific users.

     

    Microsoft Outlook Information Disclosure Vulnerability (CVE-2018-8579) MS Rating: Important

    An information disclosure vulnerability exists when attaching files to Outlook messages. An attacker can exploit this issue to share attached files such that they are accessible by anonymous users where they should be restricted to specific users. To exploit this vulnerability, an attacker would have to attach a file as a link to an email.

     

    Microsoft Exchange Server Privilege Escalation Vulnerability (CVE-2018-8581) MS Rating: Important

    A privilege escalation vulnerability exists in Microsoft Exchange Server. An attacker can exploit this issue to perform script/content injection attacks and attempt to impersonate any other user of the Exchange server. To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user.

     

    Microsoft SharePoint Privilege Escalation Vulnerability (CVE-2018-8568) MS Rating: Important

    A privilege escalation vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker can exploit the issue by sending a specially crafted request to an affected SharePoint server. Successful exploitation of this vulnerability would allow an attacker to perform cross-site scripting attacks on affected systems and run script in the security context of the current user.

     

    Microsoft SharePoint Privilege Escalation Vulnerability (CVE-2018-8572) MS Rating: Important

    A privilege escalation vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker can exploit the issue by sending a specially crafted request to an affected SharePoint server. Successful exploitation of this vulnerability would allow an attacker to perform cross-site scripting attacks on affected systems and run script in the security context of the current user.

     

    Microsoft SharePoint Information Disclosure Vulnerability (CVE-2018-8578) MS Rating: Important

    An information disclosure vulnerability exists when Microsoft SharePoint Server improperly discloses its folder structure when rendering specific web pages. An attacker can exploit this issue to view the folder path of scripts loaded on the page. To take advantage of the vulnerability, an attacker would require access to the specific SharePoint page affected by this vulnerability.

     

    Microsoft Excel Remote Code Execution Vulnerability (CVE-2018-8574) MS Rating: Important

    A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker can exploit the issue to run arbitrary code in the context of the current user. Successful exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Excel.

     

    Microsoft Excel Remote Code Execution Vulnerability (CVE-2018-8577) MS Rating: Important

    A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker can exploit the issue to run arbitrary code in the context of the current user. Successful exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Excel.

     

    Microsoft Word Remote Code Execution Vulnerability (CVE-2018-8539) MS Rating: Important

    A remote code execution vulnerability exists in Microsoft Word software when the software fails to properly handle objects in memory. An attacker can exploit the issue to run arbitrary code in the context of the current user. Successful exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Word software.

     

    Microsoft Word Remote Code Execution Vulnerability (CVE-2018-8573) MS Rating: Important

    A remote code execution vulnerability exists in Microsoft Word software when the software fails to properly handle objects in memory. An attacker can exploit the issue to run arbitrary code in the context of the current user. Successful exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Word software.

     

  3. Cumulative Security Update for Microsoft Windows Kernel

    Windows Kernel Information Disclosure Vulnerability (CVE-2018-8408) MS Rating: Important

    An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. An authenticated attacker can exploit the issue to run a specially crafted application. Successful exploitation of the vulnerability could allow an attacker to obtain information to further compromise the user's system.

     

    Win32k Privilege Escalation Vulnerability (CVE-2018-8562) MS Rating: Important

    A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker can exploit this issue to run arbitrary code in kernel mode. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

     

    Win32k Information Disclosure Vulnerability (CVE-2018-8565) MS Rating: Important

    An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker can exploit this issue to obtain information to further compromise the user's system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.

     

    Windows Win32k Privilege Escalation Vulnerability (CVE-2018-8589) MS Rating: Important

    A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker can exploit this issue to run arbitrary code in kernel mode. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

     

    Windows Deployment Services TFTP Server Remote Code Execution Vulnerability (CVE-2018-8476) MS Rating: Critical

    A remote code execution vulnerability exists in the way that Windows Deployment Services TFTP Server handles objects in memory. An attacker can exploit this issue to execute arbitrary code with elevated permissions on a target system. To exploit the vulnerability, an attacker could create a specially crafted request, causing Windows to execute arbitrary code with elevated permissions.

     

  4. Cumulative Security Update for Microsoft Windows

    Microsoft Graphics Components Remote Code Execution Vulnerability (CVE-2018-8553) MS Rating: Critical

    A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker can exploit this issue to execute arbitrary code on a target system. To exploit the vulnerability, a user would have to open a specially crafted file.

     

    DirectX Information Disclosure Vulnerability (CVE-2018-8563) MS Rating: Critical

    An information disclosure vulnerability exists when DirectX improperly handles objects in memory. An authenticated attacker can exploit this issue by running a specially crafted application to obtain information to further compromise the user's system.

     

    DirectX Privilege Escalation Vulnerability (CVE-2018-8485) MS Rating: Important

    A privilege escalation vulnerability exists when DirectX improperly handles objects in memory. An attacker can exploit this issue to run arbitrary code in kernel mode. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

     

    DirectX Privilege Escalation Vulnerability (CVE-2018-8554) MS Rating: Important

    A privilege escalation vulnerability exists when DirectX improperly handles objects in memory. An attacker can exploit this issue to run arbitrary code in kernel mode. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

     

    DirectX Privilege Escalation Vulnerability (CVE-2018-8561) MS Rating: Important

    A privilege escalation vulnerability exists when DirectX improperly handles objects in memory. An attacker can exploit this issue to run arbitrary code in kernel mode. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

     

    PowerShell Remote Code Execution Vulnerability (CVE-2018-8256) MS Rating: Important

    A remote code execution vulnerability exists when PowerShell improperly handles specially crafted files. An attacker can exploit this issue to execute malicious code on a vulnerable system. To exploit the vulnerability, an attacker must send a specially crafted file to a vulnerable system.

     

    Microsoft Powershell Tampering Vulnerability (CVE-2018-8415) MS Rating: Important

    A tampering vulnerability exists in PowerShell that could allow an attacker to execute unlogged code. To exploit this vulnerability, an attacker would need to log on to the affected system and run a specially crafted application.

     

    MSRPC Information Disclosure Vulnerability (CVE-2018-8407) MS Rating: Important

    An information disclosure vulnerability exists when 'Kernel Remote Procedure Call Provider' driver improperly initializes objects in memory. An attacker can exploit this issue by running a specially crafted application. Successful exploitation of this vulnerability would allow an attacker to obtain information to further compromise the user's system.

     

    Microsoft JScript Security Feature Bypass Vulnerability (CVE-2018-8417) MS Rating: Important

    A security bypass vulnerability exists in Microsoft JScript that could allow an attacker to bypass Device Guard. To exploit the vulnerability, an attacker would first have to access the local machine, and run a specially crafted application to create arbitrary COM objects.

     

    Windows Search Remote Code Execution Vulnerability (CVE-2018-8450) MS Rating: Important

    A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker can exploit this issue by sending specially crafted messages to the Windows Search service to take control of the affected system. An attacker with access to a target computer could exploit this vulnerability to elevate privileges and take control of the computer.

     

    Windows Audio Service Information Disclosure Vulnerability (CVE-2018-8454) MS Rating: Important

    An information disclosure vulnerability exists when Windows Audio Service fails to properly handle objects in memory. An attacker can exploit this issue by running a specially crafted application in user mode to potentially disclose memory contents of a elevated process.

     

    Microsoft RemoteFX Virtual GPU miniport driver Privilege Escalation Vulnerability (CVE-2018-8471) MS Rating: Important

    A privilege escalation vulnerability exists in the way that the Microsoft RemoteFX Virtual GPU miniport driver handles objects in memory. A locally authenticated attacker can exploit this issue by running a specially crafted application to execute code with elevated permissions.

     

    Active Directory Federation Services XSS Vulnerability (CVE-2018-8547) MS Rating: Important

    A cross-site-scripting (XSS) vulnerability exists when an open source customization for Microsoft Active Directory Federation Services (AD FS) does not properly sanitize a specially crafted web request to an affected AD FS server. An authenticated attacker can exploit this issue by sending a specially crafted request to an affected AD FS server. Successful exploitation of this vulnerability would allow an attacker to then perform cross-site scripting attacks on affected systems and run scripts in the security context of the current user. This would allow an attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the AD FS site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.

     

    Windows Security Feature Bypass Vulnerability (CVE-2018-8549) MS Rating: Important

    A security bypass exists when Windows incorrectly validates kernel driver signatures. An attacker can exploit this issue to bypass security features and load improperly signed drivers into the kernel.

     

    Windows COM Privilege Escalation Vulnerability (CVE-2018-8550) MS Rating: Important

    An elevation of privilege exists in Windows COM Aggregate Marshaler. An attacker can exploit this issue by running a specially crafted application to run arbitrary code with elevated privileges.

     

    BitLocker Security Feature Bypass Vulnerability (CVE-2018-8566) MS Rating: Important

    A security bypass vulnerability exists when Windows improperly suspends BitLocker Device Encryption. An attacker with physical access to a powered off system ccan exploit this issue to gain access to encrypted data. To exploit the vulnerability, an attacker must gain physical access to the target system prior to the next system reboot.

     

    Microsoft Project Remote Code Execution Vulnerability (CVE-2018-8575) MS Rating: Important

    A remote code execution vulnerability exists in Microsoft Project software when it fails to properly handle objects in memory. An attacker can exploit this issue using a specially crafted file to perform actions in the security context of the current user. To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Project software.

     

    Windows ALPC Privilege Escalation Vulnerability (CVE-2018-8584) MS Rating: Important

    A privilege escalation vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker can exploit this issue by running a specially crafted application to execute arbitrary code in the security context of the local system and take control over an affected system. To exploit this vulnerability, an attacker would first have to log on to the system.

     

    Windows Privilege Escalation Vulnerability (CVE-2018-8592) MS Rating: Important

    A privilege escalation vulnerability exists in the setup path and you could be affected if a user installed certain builds of the OS from media for Windows 10, version 1809 and an attacker had physical (console) access to the machine.

     

  5. Cumulative Security Update for Dynamics 365 (on-premises)

    Microsoft Dynamics 365 (on-premises) version 8 Remote Code Execution Vulnerability (CVE-2018-8609) MS Rating: Critical

    A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker can exploit this issue to execute arbitrary code on a target system. To exploit the vulnerability, a user would have to open a specially crafted file.

     

    Microsoft Dynamics 365 (on-premises) version 8 Cross Site Scripting Vulnerability (CVE-2018-8605) MS Rating: Important

    A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) version 8 does not properly sanitize a specially crafted web request to an affected Dynamics server. An authenticated attacker can exploit this issue by sending a specially crafted request to an affected Dynamics server.

     

    Microsoft Dynamics 365 (on-premises) version 8 Cross Site Scripting Vulnerability (CVE-2018-8606) MS Rating: Important

    A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) version 8 does not properly sanitize a specially crafted web request to an affected Dynamics server. An authenticated attacker can exploit this issue by sending a specially crafted request to an affected Dynamics server.

     

    Microsoft Dynamics 365 (on-premises) version 8 Cross Site Scripting Vulnerability (CVE-2018-8607) MS Rating: Important

    A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) version 8 does not properly sanitize a specially crafted web request to an affected Dynamics server. An authenticated attacker can exploit this issue by sending a specially crafted request to an affected Dynamics server.

     

    Microsoft Dynamics 365 (on-premises) version 8 Cross Site Scripting Vulnerability (CVE-2018-8608) MS Rating: Important

    A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) version 8 does not properly sanitize a specially crafted web request to an affected Dynamics server. An authenticated attacker can exploit this issue by sending a specially crafted request to an affected Dynamics server.

     

  6. Security Update for Azure App Service

    Azure App Service Cross-site Scripting Vulnerability (CVE-2018-8600) MS Rating: Important

    A cross-site scripting vulnerability exists when Azure App Services on Azure Stack does not properly sanitize user provided input. An authenticated attacker can exploit this issue by sending a specially crafted payload to the App Service, which will get executed in the context of the user every time a user visits the compromised page.

     

  7. Security Update for Team Foundation Server

    Team Foundation Server Cross-site Scripting Vulnerability (CVE-2018-8602) MS Rating: Important

    A cross-site Scripting vulnerability exists when Team Foundation Server does not properly sanitize user provided input. An authenticated attacker can exploit this issue by sending a specially crafted payload to the Team Foundation Server, which will get executed in the context of the user every time a user visits the compromised page.

     

    Team Foundation Server Remote Code Execution Vulnerability (CVE-2018-8529) MS Rating: Important

    A remote code execution vulnerability exists when Team Foundation Server (TFS) does not enable basic authorization on the communication between the TFS and Search services. An attacker can exploit this issue to run certain commands on the Search service.

     

  8. Security Update for Microsoft .NET Core

    .NET Core Tampering Vulnerability (CVE-2018-8416) MS Rating: Moderate

    A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker can exploit this issue by sending a specially crafted file to a vulnerable system to write arbitrary files and directories to certain locations on a vulnerable system.

     

  9. Security Update for Microsoft Skype for Business

    Microsoft Skype for Business Denial of Service Vulnerability (CVE-2018-8546) MS Rating: Low

    A denial of service vulnerability exists in Skype for Business. An attacker can exploit this issue to cause Skype for Business to stop responding. Successful exploitation of this vulnerability requires that a user sends a number of emojis in the affected version of Skype for Business.

     

More information is available on Symantec's free Security Center portal and to our customers through the DeepSight Threat Management System.

About the Author

Himanshu Mehta

Senior Threat Analysis Engineer

Himanshu is a senior member of Symantec's Cyber Security Services organization. An active contributor to numerous security communities, he frequently provides insight on vulnerabilities and shares his knowledge by writing reports, blogs, and journals.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.