This month's Patch Tuesday is medium in size, with 47 vulns covered and only 7 labeled as Critical. Twenty-six of the vulns apply to Windows Servers and Workstation operating systems. Two of the Criticals apply to Hyper-V and could lead to RCE on the host system. Microsoft also issued and out-of-band patch in December for Internet Explorer 9 through 11 due to active attacks in the wild. Last week, Adobe also released out-of-band patches for Acrobat and Reader covering two Critical vulns.
Workstation Patches
Browser and Scripting Engine patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users. Four of the 7 critical vulns are for Chakra / Microsoft Edge and should be prioritized for these types of systems.
Out-of-band IE Patch
On December 19, Microsoft issued an out-of-band patch (CVE-2018-8653) for Internet Explorer 9 through 11 due to targeted active attacks against this vulnerability that were discovered in the wild. This patch should also be prioritized to all workstation-type devices.
Hyper-V
Two of the vulns apply to Hyper-V, and could potentially lead to a VM escape. Microsoft does label these as 'Exploitation Less Likely,' but Hyper-V hosts should still have these Critical patches prioritized.
Adobe Patches
Adobe released patches for Flash, but they do not contain security updates. However, security patches were released for Adobe Digital Editions and Adobe Connect, covering two Important CVEs. In addition, patches were released out-of-band last week for Acrobat and Reader, covering two Critical CVEs. These patches should be prioritized for workstation-type devices.
Related
December 2018 Patch Tuesday - 39 Vulns, Workstation Patches, Adobe VulnsDecember 11, 2018In 'The Laws of Vulnerabilities'
September 2018 Patch Tuesday - 61 Vulns, FragmentSmack, Hyper-V EscapeSeptember 11, 2018In 'The Laws of Vulnerabilities'
October 2018 Patch Tuesday - 49 Vulns, Critical browser patches, Hyper-V, Adobe vulnsOctober 9, 2018In 'The Laws of Vulnerabilities'
Attachments
Original document
Permalink
Disclaimer
Qualys Inc. published this content on 08 January 2019 and is solely responsible for the information contained herein. Distributed by Public, unedited and unaltered, on 08 January 2019 20:13:03 UTC
Qualys, Inc. is a provider of a cloud-based platform delivering information technology (IT), security and compliance solutions. The Companyâs integrated suite of IT, security and compliance solutions delivered on Qualys' Enterprise TruRisk Platform enables its customers to identify and manage their IT and operational technology (OT) assets, collect, and analyze large amounts of IT security data, recommend, and implement remediation actions and verify the implementation of such actions. It provides its solutions through a software-as-a-service model, primarily with renewable annual subscriptions. Its cloud platform offers an integrated suite of solutions that automates the lifecycle of asset discovery and management, security and compliance assessments, and remediation for an organizationâs IT infrastructure and assets, whether such infrastructure and assets reside inside the organization, on their network perimeter, on endpoints or in the cloud.