Last updated at Wed, 14 Nov 2018 20:29:23 GMT
Microsoft's patches this month address over 60 vulnerabilities. Just like last month, another zero-day privilege escalation vulnerability in Win32k has been patched. CVE-2018-8589 has been seen exploited in the wild, and allows a logged-in attacker to execute arbitrary code in the security context of a vulnerable system. Two of this month's other vulnerabilities were already publicy disclosed. CVE-2018-8566 is a Security Feature Bypass in BitLocker, whereby an attacker with physical access to a powered off system could access encrypted data. This is a distinct issue from the advisory Microsoft published last week (ADV180028), which is a flaw with BitLocker using hardware encryption features of certain self-encrypting drives. The other previously disclosed vulnerablity is CVE-2018-8584, an elevation of privilege vulnerability in Windows. Administrators should prioritize patching these previously known and actively exploited vulnerabilities.
As usual, most of the vulns are browser-related this month. But Office is giving Microsoft's Scripting Engine a run for its money with a total of eleven vulnerabilities being addressed. On the server side, Microsoft has updated Exchange Server, SharePoint, Dynamics, and Team Foundation Server. Also of note is CVE-2018-8476, a Critical Remote Code Execution vulnerability in the Windows Deployment Services TFTP Server, which allows an attacker to execute arbitrary code on affected systems with elevated permissions.
Microsoft has also published a list of the most recent servicing stack updates as ADV990001. These do not fix vulnerabilities directly (they're categorized as "Defense in Depth"), but keeping servicing stack code up to date is important (they are often prerequisites to security updates), and having this information centralized should make life easier for some system administrators.
On the Adobe front, information disclosure vulnerabilities in Flash (APSB18-39/ADV180025), Acrobat Reader (APSB18-40), and Photoshop CC (APSB18-43).
Note: not all CVEs had CVSSv3 data available at the time of writing