• December 2018 Patch Tuesday is under way

    Posted on December 11, 2018 at 12:52 CST by Comment in the Forums

    December Updates are rolling out. There are 194 updates listed in the Update Catalog.

    Martin Brinkman at ghacks.com has his usual thorough summary.

    Operating System Distribution

    • Windows 7: 9 vulnerabilities of which 9 are rated important.
    • Windows 8.1: 8 vulnerabilities of which 8 are rated important.
    • Windows 10 version 1607:  12 vulnerabilities of which 2 are critical and 10 are important
    • Windows 10 version 1703:  11 vulnerabilities of which 1 is critical and 10 are important
    • Windows 10 version 1709: 12 vulnerabilities of which 2 are critical and 10 are important
    • Windows 10 version 1803: 12 vulnerabilities of which 2 are critical and 10 are important
    • Windows 10 version 1809: 19 vulnerabilities of which 2 are critical and 17 are important

    Windows Server products

    • Windows Server 2008 R2: 9 vulnerabilities of which 9 are important.
    • Windows Server 2012 R2: 9 vulnerabilities of which 1 is critical and 8 are important.
    • Windows Server 2016: 11 vulnerabilities of which 2 are critical and 9 are important.
    • Windows Server 2019: 13 vulnerabilities of which 2 are critical and 11 are important.

    Other Microsoft Products

    • Internet Explorer 11: 4 vulnerability, 1 critical, 3 important
    • Microsoft Edge: 5 vulnerabilities, 5 critical

    Microsoft Office Security Updates are available. There are updates for Office 2016, Office 2013, Office 2010, the Office Viewers and the SharePoint Servers.

    The .NET updates include Security-only updates this month, as well as the usual .NET Rollups.

    For those of you with Windows 10, there are new Servicing Stack updates:
    Win10 1709 Build 16229.846 KB 4477136
    Win10 1803 Build 17134.471 KB 4477137

    Interesting note from Senior Solutions Architect Allan Liska at Recorded Future:

    Microsoft Edge has multiple critical vulnerabilities in its Chakra Core scripting engine. This is the now the 15th straight month that Microsoft has disclosed a vulnerability in the Chakra scripting engine, the last Patch Tuesday without a Chakra disclosure was September of 2017. This month’s vulnerability (CVE-2018-8583 and CVE-2018-8629) is a memory corruption vulnerability that, if exploited, would allow an attacker to execute arbitrary code on the victim’s machine.

    Note Microsoftie liminzhu’s post on GitHub:

    We’ve seen your questions for ChakraCore and we want to be transparent and honest with the open-source community that has given us so much support. To be compatible with the rest of the platform and reduce interoperability risks, Microsoft Edge will use the V8 engine as part of this change. There is much to build and learn, but we’re excited to take part in the V8 community and start contributing to the project.

    ChakraCore is currently being used in various projects outside the browser. So, despite the change of direction for Microsoft Edge, our team will continue supporting ChakraCore.

    You have to wonder if ChakraCore’s holiness is a contributing factor in Microsoft’s switch to the Chromium rendering engine.

    Dustin Childs has his usual report up on the Zero Day Initiative site. He lists one vulnerability as exploited, but not publicly known, and one as known but not yet actively exploited. All the rest are less serious.

    The exploited vulnerability — the 0day — has a familiar pedigree:

    For the third month in a row, December has a Win32K (kernel-mode drivers) elevation of privilege vulnerability listed as currently under active attack. And, as was the case in previous months, this bug was reported by researchers at Kaspersky Labs, indicating this bug is being used in malware. Again, this is likely being used in targeted attacks in combination with other bugs.

    Translation: Unless you’re protecting enormous state secrets (probably in a language other than English), you’re undoubtedly in the clear. Expect an explanation from Kaspersky shortly.

    Chris Hoffman at How-To Geek has a seeker warning:

    Microsoft hasn’t learned its lesson. If you click the “Check for Updates” button in the Settings app, Microsoft still considers you a “seeker” and will give you “preview” updates that haven’t gone through the normal testing process.

    Of course, to be completely clear, I don’t recommend that you install ANY updates. It’s much too early to know what evil lurks in the hearts of man…

    Windows Patches/Security ,
DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    March 2025
    S M T W T F S
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    3031  

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.