A lighter Patch Tuesday this month as Microsoft released just 38 security patches for December, including a fix for a privilege escalation bug that has been reportedly exploited in the wild. A patch for a denial-of-service vulnerability in web applications built with .NET Framework was also released, but is not under active exploit at this time. Of the patches, nine updates are considered critical, and most of those are browser related. The rest are rated important and should also be prioritized.
“The mix of affected products is fairly standard, with most fixes being browser-related and a handful of Office patches. The most critical this month is server-side: CVE-2018-8626 is an RCE against Windows DNS Server which could allow an unauthenticated attacker to run arbitrary code by issuing a malicious request to the server,” said Greg Wiseman of Rapid7 in a blog post on the releases.
Wiseman said server-related fixes to note this month include two CVEs for SharePoint, as well as patches for Exchange Server 2016 and Microsoft Dynamics NAV.
Here are the highlights from this month’s release with the information you need to prioritize your patching efforts.
CVE-2018-8611 – Windows Kernel Elevation of Privilege Vulnerability