Microsoft released today its monthly roll-up of security patches known as Patch Tuesday. This month, the Redmond-based company has fixed 62 security flaws.
Security
Among the 62 fixes, there is also a fix for a zero-day vulnerability that was under active exploitation before today's patches were made available.
Zero-day exploited by multiple APTs
The zero-day, tracked as CVE-2018-8589, impacts the Windows Win32k component. Microsoft classified the issue as an "elevation of privilege" vulnerability and says that before an attacker could use this zero-day to gain elevated privileges, they'll need to find a way to infect a system and run malicious code on it beforehand, using other exploits.
ZDNet: Black Friday 2018 deals: Business Bargain Hunter's top picks | Cyber Monday 2018 deals: Business Bargain Hunter's top picks
Microsoft credited Kaspersky Lab researchers for discovering this zero-day. A Kaspersky spokesperson told ZDNet that they discovered the zero-day being exploited by multiple cyber-espionage groups (APTs).
The zero-day had been used to elevate privileges on 32-bit Windows 7 versions. The company plans to publish a blog post tomorrow morning, November 14, with more information about CVE-2018-8589 and the way it was exploited.
This is the second Windows elevation of privilege zero-day that Microsoft has patched in as many months, and both have been discovered by Kaspersky researchers.
Last month, Microsoft patched CVE-2018-8453, another zero-day that had been used by a state-backed cyber-espionage group known as FruityArmor.
Windows Data Sharing Service zero-day also patched
But Microsoft has also patched this month is the zero-day that was disclosed on Twitter at the end of October --the one affecting the Windows Data Sharing Service (dssvc.dll).
Microsoft also published this month a security advisory to instruct users on how to properly configure BitLocker when used together with solid-state drives (SSDs).
Earlier this month, Dutch researchers proved that it was possible to bypass BitLocker encryption on some SSDs and retrieve a user's data without needing the (BitLocker) user-set password. The advisory will help users make sure their data is safe, even when stored on vulnerable internal or external SSDs.
The rest of this month's security patches also address vulnerabilities in products such as Windows, Internet Explorer, Microsoft Edge, the ChakraCore JavaScript engine, .NET Core Framework, Skype for Business, Team Foundation Server, Microsoft Dynamics 365, Azure App Service on Azure Stack, Microsoft Office and Microsoft Office Services and Web Apps.
Twelve of the 62 November 2018 Patch Tuesday vulnerabilities have been categorized as Critical, needing immediate patches due to their severity.
ZDNet has put together a summary of today's Patch Tuesday release in an HTML table, available online here.
More information is also available on Microsoft's official Security Update Guide portal, available here, which also includes interactive filtering options so users can find the updates and patches for only the products that are of interest.
Besides releasing its November security updates, Microsoft today also re-released Windows 10 1809 and Windows Server 2019, after the company had hit some pretty big snags during last month's initial rollout.
Other Patch Tuesdays
Earlier today, Adobe, too, has released security updates. This month, the company shipped fixes for the Adobe Flash Player, Adobe Photoshop CC, and Adobe Acrobat and Reader.
SAP has also been releasing security updates on the same day as Microsoft, and this month, the company has patched a serious vulnerability that received a CVSSv3 severity score of 9.9 out of 10.
Article updated on November 14 with link to Kaspersky blog post and to state that Microsoft had also patched a second zero-day.
Windows 10 October 2018 Update: The new features that matter most
Related security coverage:
- IE scripting engine becomes North Korean APT's favorite target in 2018
- Zero-day in popular WordPress plugin exploited in the wild to take over sites
- Adobe ColdFusion servers under attack from APT group
- US Cyber Command starts uploading foreign APT malware to VirusTotal
- The United Nations: "We're all facing the same global cyber-threat" TechRepublic
- NSA: China is violating antihacking deal it made with US CNET
- GreyEnergy: New malware campaign targets critical infrastructure companies
- Hostile states will attempt deadly cyber attacks on UK, warns NCSC
Best Black Friday 2018 deals:
- Amazon Seven Days of Black Friday Deals: All-time lows on office devices
- Amazon Black Friday 2018 deals: See early sales on Echo, Fire HD
- Best Buy Black Friday 2018 deals: Deep discounts on Apple Mac, Microsoft Surface
- Target Black Friday 2018 deals: $250 iPad mini 4, $120 Chromebook
- Walmart Black Friday 2018 deals: $99 Chromebook, $89 Windows 2-in-1
- Dell Black Friday 2018 deals: $120 Inspiron laptop, $500 gaming desktop
- Newegg Black Friday 2018 deals: $50 off Moto G6, $70 off Nest thermostat
- Office Depot Black Friday 2018 deals: $300 off Lenovo Flex, $129 HP Chromebook
- eBay Black Friday 2018 deals: See early sales on Galaxy Watch, Chromecast
- Lenovo Black Friday 2018 deals: ThinkPad laptops and more
- Microsoft Store Black Friday 2018 deals: Ad showcases Surface, laptop deals
- Windows laptops Black Friday deals: Dell, HP, Lenovo
- Chromebook Black Friday 2018 deals: Dell, Google, HP
- Best tablet Black Friday deals: Apple iPad, Amazon Fire
- Black Friday 2018 iPhone deals: $400 iPhone X gift card, BOGO iPhone XR
- Black Friday 2018 smartphone deals: OnePlus 6T, LG G7