In its Patch Tuesday updates for December, Microsoft has once again fixed, for the fourth month in a row, a zero-day bug that was continuously being exploited in the wild.
The Patch Tuesday updates (Patch Tuesday is the name given to Microsoft’s monthly security patches) for December has fixed 39 vulnerabilities across a large set of Microsoft products including Internet Explorer, Edge, Microsoft Windows, Office and Microsoft Office Services and Web Apps, and the .NET Framework.; nine of these bugs are rated ‘critical’.
Threatpost editor Tom Spring writes, “Microsoft has patched a zero-day vulnerability actively being used against older versions of the Windows operating system, as part of its December Patch Tuesday updates.”
He adds, “According to the software giant, the vulnerability (CVE-2018-8611) is an elevation-of-privilege (EoP) bug that affects Windows 7 through Server 2019. It has a CVSS rating of seven, classifying it as a high-severity flaw.”
“An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” wrote Microsoft in its Patch Tuesday bulletin for December.
The bulletin further reads, “To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system…The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.”
The bug was being continuously exploited and hence the fix really significant.
ZDNet writes, “Just like in the last two months, and for the third month in a row, this zero-day was being (ab)used in nation-state cyber-espionage operations. Just like last month, there were two cyber-espionage groups abusing this zero-day, and not just one, suggesting some sort of infrastructure sharing, or common leadership.”
Of the nine critical bugs fixed, one (CVE-2018-8517) was publicly known ahead of the Patch Tuesday update, but was not being exploited. Any remote hacker could exploit this vulnerability, a .NET framework denial-of-service vulnerability, by issuing a specially crafted request to the .NET Framework application.
Another bug that has been fixed is a remote code-execution bug CVE-2018-8634, which impacts Microsoft’s text-to-speech engine. Five among the nine critical bugs fixed by the update are related to Microsoft’s Chakra scripting engine, which is a JavaScript engine that has been developed for the Edge browser. These are all memory corruption bugs and hackers could use these to execute arbitrary codes during user sessions, elevate user rights and take control of computer systems.
