For the fourth month in a row, Microsoft patches Windows zero-day used in the wild

Microsoft also fixes 38 other security bugs, 9 of which are rated "Critical."
Written by Catalin Cimpanu, Contributor

Today, Microsoft released its monthly security patches --known as the Patch Tuesday updates. This month the Redmond-based company fixed 38 vulnerabilities across a large set of products.

For the fourth month in a row, Microsoft patched a Windows OS zero-day vulnerability that was being exploited in the wild.

Also: OpSec mistake brings down network of Dark Web money counterfeiter

Just like in the last two months, and for the third month in a row, this zero-day was being (ab)used in nation-state cyber-espionage operations. Just like last month, there were two cyber-espionage groups abusing this zero-day, and not just one, suggesting some sort of infrastructure sharing, or common leadership.

CVE-2018-8611 --the zero-day

This zero-day, which Microsoft is tracking as CVE-2018-8611, is an elevation of privilege in the Windows Kernel.

According to Microsoft, "[the] vulnerability exists when the Windows kernel fails to properly handle objects in memory."

"An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode," the company said today. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

Microsoft says an attacker will first need a foothold on an infected computer, but this is not as hard as it sounds, especially when you're being targeted by a nation-state group.

Responsible for discovering this new zero-day are, once again, security researchers from Kaspersky Lab. A Kaspersky Lab spokesperson told ZDNet that the same two cyber-espionage groups who were abusing the Windows zero-day patched in November (CVE-2018-8589) were also behind the attacks with CVE-2018-8611.

Kaspersky Lab experts also discovered the zero-day abused a month prior, in October. That zero-day (CVE-2018-8453) was also an elevation of privilege, and was abused by the FruityArmor cyber-espionage group.

A month prior, in September, Microsoft patched another Windows zero-day (CVE-2018-8440). This one wasn't used by state-sponsored hackers, but by regular cyber-criminals that were spreading a basic backdoor.

Flash zero-day fix included

But this wasn't the only zero-day included in the December 2018 Patch Tuesday. Today's Microsoft updates also includes a fix (ADV180031) for the Flash zero-day disclosed last week, which was also used by a nation-state cyber-espionage group.

ZDNet has put together a summary of today's Patch Tuesday release as an HTML table, available online here.

Must read

More information is also available on Microsoft's official Security Update Guide portal, available here, which also includes interactive filtering options so users can find the updates and patches for only the products that are of interest.

Earlier today, Adobe also released another set of security updates, this time for the Adobe Acrobat and Reader applications.

SAP, too, has released security updates, which also include a patch for a very serious security issue that received a severity rating of 9.9 out of 10.

Cybercrime and malware, 2019 predictions

Related stories:

Editorial standards