Today, Microsoft released its monthly security patches --known as the Patch Tuesday updates. This month the Redmond-based company fixed 38 vulnerabilities across a large set of products.
For the fourth month in a row, Microsoft patched a Windows OS zero-day vulnerability that was being exploited in the wild.
Just like in the last two months, and for the third month in a row, this zero-day was being (ab)used in nation-state cyber-espionage operations. Just like last month, there were two cyber-espionage groups abusing this zero-day, and not just one, suggesting some sort of infrastructure sharing, or common leadership.
CVE-2018-8611 --the zero-day
This zero-day, which Microsoft is tracking as CVE-2018-8611, is an elevation of privilege in the Windows Kernel.
According to Microsoft, "[the] vulnerability exists when the Windows kernel fails to properly handle objects in memory."
"An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode," the company said today. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Microsoft says an attacker will first need a foothold on an infected computer, but this is not as hard as it sounds, especially when you're being targeted by a nation-state group.
Responsible for discovering this new zero-day are, once again, security researchers from Kaspersky Lab. A Kaspersky Lab spokesperson told ZDNet that the same two cyber-espionage groups who were abusing the Windows zero-day patched in November (CVE-2018-8589) were also behind the attacks with CVE-2018-8611.
Kaspersky Lab experts also discovered the zero-day abused a month prior, in October. That zero-day (CVE-2018-8453) was also an elevation of privilege, and was abused by the FruityArmor cyber-espionage group.
A month prior, in September, Microsoft patched another Windows zero-day (CVE-2018-8440). This one wasn't used by state-sponsored hackers, but by regular cyber-criminals that were spreading a basic backdoor.
Flash zero-day fix included
But this wasn't the only zero-day included in the December 2018 Patch Tuesday. Today's Microsoft updates also includes a fix (ADV180031) for the Flash zero-day disclosed last week, which was also used by a nation-state cyber-espionage group.
ZDNet has put together a summary of today's Patch Tuesday release as an HTML table, available online here.
- Websites are attacked 58 times a day, even when patched properly (TechRepublic)
- UN finds cybersecurity is a struggle worldwide (CNET)
More information is also available on Microsoft's official Security Update Guide portal, available here, which also includes interactive filtering options so users can find the updates and patches for only the products that are of interest.
Earlier today, Adobe also released another set of security updates, this time for the Adobe Acrobat and Reader applications.
SAP, too, has released security updates, which also include a patch for a very serious security issue that received a severity rating of 9.9 out of 10.
- Super Micro says external security audit found no evidence of backdoor chips
- Over 40,000 credentials for government portals found online
- Google+ hit by second API bug impacting 52.5 million users
- Malicious sites abuse 11-year-old Firefox bug that Mozilla failed to fix
- Half of the Tor Project's funding now comes from the private sector