Microsoft has released repairs for 12 dangerous vulnerabilities in November Patch Tuesday and has repaired a vulnerability that is being actively abused by at least one threat group. In total, 64 vulnerabilities have been repaired across Windows, IE, Edge, and other Microsoft products.
The 12 dangerous vulnerabilities might let hackers carry out a malevolent code and take complete control of a vulnerable appliance. The bulk of the dangerous vulnerabilities are in the Chakra Scripting Engine, which
CVE-2018-8541, CVE-2018-8542, CVE-2018-8543, CVE-2018-8551, CVE-2018-8555, CVE-2018-8556, CVE-2018-8557, and CVE-2018-8588, are all memory corruption vulnerabilities regarding how the Chakra Scripting Engine controls items in the memory in Microsoft Edge. All eight vulnerabilities might be abused if a user visits a particularly created webpage using the Microsoft Edge browser. The vulnerabilities might also be abused through malvertising.
The other dangerous vulnerabilities are listed below:
CVE-2018-8476 concerns how matters in the memory are controlled by Windows Deployment Services TFTP Server. Misuse of the vulnerabilities would let a hacker perform arbitrary code on a vulnerable server with elevated authorizations.
CVE-2018-8544 concerns how matters in the memory are controlled by Windows VBScript Engine. If abused, an attacker could implement arbitrary code with the same level of rights as the present user. If the user has administrative privileges, an attacker could take complete control of a vulnerable system. The vulnerability could be abused through an inserted Active X control in a Microsoft Office file that hosts the IE rendering engine, through malvertising, or specifically created webpages.
CVE-2018-8553 concerns how items in the memory are controlled by Microsoft Graphics Components. Misuse of the vulnerability would require a user to open a specifically created file, for example, one sent in a phishing electronic mail.
CVE-2018-8609 is the failure of Microsoft Dynamics 365 (on-premises) version 8 to clean web requests to a Dynamics server. If abused, an attacker might run arbitrary code in the context of an SQL service. The fault might be abused by sending a specifically created request to an unpatched Dynamics server.
Microsoft also released a patch for the actively abused Windows Win32k Elevation of Privilege Vulnerability CVE-2018-8589. If abused, an attacker might run arbitrary code in the safety setting of the local system. Nevertheless, system access would first need to be gained before the vulnerability might be abused.
Adobe has also released patches this patch Tuesday for Flash Player, Acrobat, Reader, and Photoshop CC.