The second to last Patch Tuesday of 2018 is here with patches for 55 CVEs. This includes 11 rated "Critical", 42 rated "Important" and one each rated "Moderate" and "Low". The release also contains three advisories including the standard patch rollup for Adobe Flash, an advisory rated "Important" covering an elevation of privilege vulnerability in Microsoft Surface devices and a final, unrated advisory to provide guidance for configuring BitLocker for file encryption.
Our old friend the Microsoft Scripting Engine is back with Remote Code Execution (RCE) vulnerabilities taking up the majority of the "Critical" CVE list, but also pay attention to CVE-2018-8476 which is a RCE vulnerability in the Windows TFTP server. Among the CVEs rated as "Important" are RCE vulnerabilities that affect client side software like Excel, Word, Project, PowerShell and Outlook. Microsoft Exchange Server and Microsoft SharePoint are also on the list with Elevation of Privilege so make sure these servers get patched, especially if they're public facing.
Here in the US, November is a time to give thanks, so let's be thankful for patches that plug security holes.
Critical
Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2018-8541, CVE-2018-8542, CVE-2018-8543, CVE-2018-8551, CVE-2018-8555, CVE-2018-8556, CVE-2018-8557, CVE-2018-8588
Remote Code Execution
Microsoft Graphics Components Remote Code Execution Vulnerability
CVE-2018-8553
Remote Code Execution
Windows Deployment Services TFTP Server Remote Code Execution Vulnerability
CVE-2018-8476
Remote Code Execution
Windows VBScript Engine Remote Code Execution Vulnerability
CVE-2018-8544
Remote Code Execution
November 2018 Adobe Flash Security Update
ADV180025
Remote Code Execution
Important
Active Directory Federation Services XSS Vulnerability
CVE-2018-8547
Spoofing
Azure App Service Cross-site Scripting Vulnerability
CVE-2018-8600
Spoofing
BitLocker Security Feature Bypass Vulnerability
CVE-2018-8566
Security Feature Bypass
DirectX Elevation of Privilege Vulnerability
CVE-2018-8485, CVE-2018-8554, CVE-2018-8561
Elevation of Privilege
DirectX Information Disclosure Vulnerability
CVE-2018-8563
Information Disclosure
Internet Explorer Memory Corruption Vulnerability
CVE-2018-8570
Remote Code Execution
Microsoft Edge Elevation of Privilege Vulnerability
CVE-2018-8567
Elevation of Privilege
Microsoft Edge Information Disclosure Vulnerability
CVE-2018-8545
Information Disclosure
Microsoft Edge Spoofing Vulnerability
CVE-2018-8564
Spoofing
Microsoft Excel Remote Code Execution Vulnerability
CVE-2018-8574, CVE-2018-8577
Remote Code Execution
Microsoft Exchange Server Elevation of Privilege Vulnerability
CVE-2018-8581
Elevation of Privilege
Microsoft JScript Security Feature Bypass Vulnerability
CVE-2018-8417
Security Feature Bypass
Microsoft Outlook Information Disclosure Vulnerability
CVE-2018-8558, CVE-2018-8579
Information Disclosure
Microsoft Outlook Remote Code Execution Vulnerability
CVE-2018-8522, CVE-2018-8524, CVE-2018-8576, CVE-2018-8582
Remote Code Execution
Microsoft PowerShell Remote Code Execution Vulnerability
CVE-2018-8256
Remote Code Execution
Microsoft Powershell Tampering Vulnerability
CVE-2018-8415
Tampering
Microsoft Project Remote Code Execution Vulnerability
CVE-2018-8575
Remote Code Execution
Microsoft RemoteFX Virtual GPU miniport driver Elevation of Privilege Vulnerability
CVE-2018-8471
Elevation of Privilege
Microsoft SharePoint Elevation of Privilege Vulnerability
CVE-2018-8568, CVE-2018-8572
Elevation of Privilege
Microsoft SharePoint Information Disclosure Vulnerability
CVE-2018-8578
Information Disclosure
Microsoft Word Remote Code Execution Vulnerability
CVE-2018-8539, CVE-2018-8573
Remote Code Execution
MSRPC Information Disclosure Vulnerability
CVE-2018-8407
Information Disclosure
Win32k Elevation of Privilege Vulnerability
CVE-2018-8562
Elevation of Privilege
Win32k Information Disclosure Vulnerability
CVE-2018-8565
Information Disclosure
Windows ALPC Elevation of Privilege Vulnerability
CVE-2018-8584
Elevation of Privilege
Windows Audio Service Information Disclosure Vulnerability
CVE-2018-8454
Information Disclosure
Windows COM Elevation of Privilege Vulnerability
CVE-2018-8550
Elevation of Privilege
Windows Elevation Of Privilege Vulnerability
CVE-2018-8592
Elevation of Privilege
Windows Kernel Information Disclosure Vulnerability
CVE-2018-8408
Information Disclosure
Windows Scripting Engine Memory Corruption Vulnerability
CVE-2018-8552
Information Disclosure
Windows Search Remote Code Execution Vulnerability
CVE-2018-8450
Remote Code Execution
Windows Security Feature Bypass Vulnerability
CVE-2018-8549
Security Feature Bypass
Windows Win32k Elevation of Privilege Vulnerability
CVE-2018-8589
Elevation of Privilege
Microsoft Surface Devices Elevation of Privilege Vulnerability
ADV180027
Security Feature Bypass
Moderate
.NET Core Tampering Vulnerability
CVE-2018-8416
Tampering
Low
Microsoft Skype for Business Denial of Service Vulnerability
CVE-2018-8546
Denial of Service
Not Rated
Guidance for configuring BitLocker to enforce software encryption
ADV180028
