December Patches: Yule Be Mad To Miss Them

December Patches: Yule Be Mad To Miss Them

December Patches: Yule Be Mad To Miss Them

‘Tis the season for holiday cheer, roasting chestnuts on an open fire and sipping your favourite festive drink by the tree…but before we can do any of that, we have vulnerabilities to manage. Yes, on the 11th day of Christmas, Microsoft, Adobe and Mozilla have all dished out a number of patches that need to be gift wrapped and express delivered to each of your machines. Here’s all you need to know about this month’s Patch Tuesday release:

Operating System Updates from Windows:

This month Microsoft have addressed 19 issues across all versions of Windows. The pick of the bunch is the Zero Day CVE-2018-8611 | Windows Kernel Elevation of Privilege Vulnerability. It’s affecting multiple versions of Windows and there are already reports of this vulnerability being exploited by attackers. For a full list of affected versions of Windows see here.

Microsoft haven’t yet released the details of how it was exploited but what they have told us is an attacker ‘could run arbitrary code’ and ‘install programs, view, change delete data’ or ‘create new accounts with full user rights’. The good news is, an attacker would first have to log on to your Windows machine. Thanks to dual factor authentication, this is harder than ever to do.

Rounding up the rest of this month’s OS Patch Tuesday release we can see there are twenty five security updates to address across the multiple versions of Office. Check out the full list here. There’s a downturn in the number of vulnerabilities flagged with Microsoft browsers; Internet Explorer have listed 4 patched vulnerabilities and Edge have encountered 5.

3rd Party Updates

Adobe have had an eventful month in the lead up to patch Tuesday. APSB18-44 and APSB18-42 address vulnerabilities that have already been exploited by attackers. A machine can become infected by a user unwittingly running a fake Flash file that installs malware on their machine.

Mozilla have released a patch that resolves several vulnerabilities they have rated as critical. It’s worth paying close attention to this patch as browsers are an easy point of attack for hackers.

Other significant news this month

It’s worth mentioning that Java SE 8 is nearing end of life in terms of the support Oracle will be providing. In January 2019, commercial users of Java SE 8 will no longer receive support. Should any of your systems still be relying on Java SE it’s worth getting the wheels in motion to upgrade before that level of support is no more.

That’s it from me for this year on the patching front! Happy holidays and see you in January!

Patrick Collins, Vulnerability Management

Leave a Reply

Your email address will not be published. Required fields are marked *