Zero-day Windows exploit fix stars in November Patch Tuesday

November rains also bring relief for IBM WebSphere flaw

Microsoft has addressed 62 vulnerabilities – 13 of which are critical – in the November edition of its monthly Patch Tuesday update cycle.

The patch batch includes relief from a zero-day privilege escalation vulnerability in Win32k systems (CVE-2018-8589). Two of the other vulnerabilities discussed this month have already been flagged within security circles.

CVE-2018-8566 covers a security bypass in BitLocker, which created a risk that hackers with physical access to a powered off system could access encrypted data.

A separate security shortcoming stops default use of hardware encryption by BitLocker on certain self-encrypting drives – an unwise choice in the wake of recent security research that uncovered encryption loopholes in SSDs.

Administrators should prioritise patching these previously known and actively exploited vulnerabilities, according to Rapid7, the firm behind the Metasploit penetration testing tool.

The remainder of November’s security fixes address security bugs in browser, Office and Redmond’s enterprise-focused server software.

“Most of this month’s vulnerabilities are browser-related, but Office is giving Microsoft’s Scripting Engine a run for its money with a total of 11 vulnerabilities being addressed,” said Greg Wiseman, senior security researcher at Rapid7.

“On the server side, Microsoft has updated Exchange Server, SharePoint, Dynamics, and Team Foundation Server. Also of note is CVE-2018-8476, a critical remote code execution (RCE) vulnerability in the Windows Deployment Services TFTP [Trivial File Transfer Protocol] Server, which allows an attacker to execute arbitrary code on affected systems with elevated permissions.”

The SANS Institute’s Internet Storm Centre has a helpful summary of these various vulnerabilities, along with ratings on their severity, in a blog post here. Microsoft’s security update guide is here.

In other enterprise patching news, IBM has released interim fixes for its WebSphere Application Server provide review from a sever remote code execution vulnerability (CVE-2018-1567).

Left unresolved, the bug created a means for hackers to execute arbitrary Java code through the SOAP connector linked to a vulnerable IBM WebSphere Application Server.

The flaw – which earned a CVSS base score of 9.8, close to the maximum severity rating of 10 – is a strong candidate for prompt triage. IBM WebSphere Application Server versions 7.0, 8.0, 8.5, and 9.0 are all potentially vulnerable.

IBM has released interim fixes and advice to users while it works on more comprehensive patches.

Adobe, obviously keen not to be left out, also published patches a critical update for Adobe Acrobat and Reader and a patch for a less severe fault in Flash on Tuesday.