Microsoft Repairs 12 Critical Weaknesses on November Patch Tuesday

Microsoft has released repairs for 12 dangerous weaknesses in November Patch Tuesday and has repaired a fault that is being actively abused by at least one threat group. In total, 64 weaknesses have been repaired across Windows, IE, Edge, and other Microsoft products.

The 12 dangerous weaknesses might let hackers carry out a malevolent code and take complete control of a weak appliance. The bulk of the dangerous weaknesses are in the Chakra Scripting Engine, which account for 8 of the 12 serious faults.

CVE-2018-8541, CVE-2018-8542, CVE-2018-8543, CVE-2018-8551, CVE-2018-8555, CVE-2018-8556, CVE-2018-8557, and CVE-2018-8588, are all memory corruption weaknesses regarding how the Chakra Scripting Engine controls items in the memory in Microsoft Edge. All eight weaknesses might be abused if a user visits a particularly created webpage using the Microsoft Edge browser. The weaknesses might also be abused through malvertising.

The other dangerous weaknesses are listed below:

CVE-2018-8476 concerns how matters in the memory are controlled by Windows Deployment Services TFTP Server. Misuse of the weakness would let a hacker perform arbitrary code on a weak server with elevated authorizations.

CVE-2018-8544concerns how matters in the memory are controlled by Windows VBScript Engine. If abused, an attacker could implement arbitrary code with the same level of rights as the present user.  If the user has administrative privileges, an attacker could take complete control of a weak system. The weakness could be abused through an inserted Active X control in a Microsoft Office file that hosts the IE rendering engine, through malvertising, or specifically created webpages.

CVE-2018-8553 concerns how items in the memory are controlled by Microsoft Graphics Components. Misuse of the weakness would require a user to open a specifically created file, for example, one sent in a phishing electronic mail.

CVE-2018-8609is the failure of Microsoft Dynamics 365 (on-premises) version 8 to clean web requests to a Dynamics server. If abused, an attacker might run arbitrary code in the context of an SQL service. The fault might be abused by sending a specifically created request to an unpatched Dynamics server.

Microsoft also released a patch for the actively abused Windows Win32k Elevation of Privilege Weakness CVE-2018-8589. If abused, an attacker might run arbitrary code in the safety setting of the local system. Nevertheless, system access would first need to be gained before the fault might be abused.

Adobe has also released patches this patch Tuesday for Flash Player, Acrobat, Reader, and Photoshop CC.