Microsoft has patched a zero-day vulnerability actively being used against older versions of the Windows operating system, as part of its December Patch Tuesday updates.
According to the software giant, the vulnerability (CVE-2018-8611) is an elevation-of-privilege (EoP) bug that affects Windows 7 through Server 2019. It has a CVSS rating of seven, classifying it as a high-severity flaw.
The EoP is triggered when the Windows kernel fails to properly handle objects in memory, according to Microsoft. “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” wrote Microsoft in its December Patch Tuesday bulletin.
However, “the attacker would first have to log onto the system then run a specially crafted application to take control of the affected system,” said Chris Goettl, director of product management, security, Ivanti.
In addition to the zero-day bug, Microsoft patched nine critical vulnerabilities and 30 flaws rated important, impacting a range of Microsoft products from Internet Explorer, Edge, ChackraCore, Microsoft Windows, Office and Microsoft Office Services and Web Apps, and the .NET Framework.
One of these (CVE-2018-8517) is noteworthy because it was publicly known ahead of the scheduled update released Tuesday, but not exploited, according to the security bulletin. The flaw is a .NET framework denial-of-service vulnerability.
“A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Framework application,” wrote Microsoft. “The vulnerability can be exploited remotely, without authentication.”
Five of the nine critical vulnerabilities are tied to Microsoft’s Chakra scripting engine, a JavaScript engine developed for the Edge web browser. Each of the flaws are memory-corruption bugs that would allow an adversary to execute arbitrary code during a user session, elevate user rights and ultimately take control of the affected system.
“Browser and scripting engine patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser,” advised Qualys in its Patch Tuesday commentary. “This includes multi-user servers that are used as remote desktops for users. Out of the 9 critical vulnerabilities, 6 can be exploited through browsers.”
Another noteworthy remote code-execution bug CVE-2018-8634 (rated important) impacts Microsoft’s text-to-speech engine.
“This patch is interesting for a couple of different reasons. First, newer functionalities like text-to-speech have a somewhat unknown attack surface,” wrote Dustin Childs, a certified information systems security professional with Zero Day Initiative, in an analysis.
“This isn’t the first text-to-speech related bug – Android had one a few years ago – but it’s certainly not often seen,” he added. “Secondly, Microsoft doesn’t state a sample exploit scenario, but since generating speech requires an HTTP POST request to the speech service, it’s possible this could be remotely accessible if your application is network facing. Either way, if you employ text-to-speech, don’t overlook this patch.”
In all, the 39 bugs patched by Microsoft represent a relatively low number of vulnerabilities to address in one month, especially when compared to the 87 reported flaws reported by Adobe on Tuesday.
