This month’s Patch Tuesday is medium in size, with 47 vulns covered and only 7 labeled as Critical. Twenty-six of the vulns apply to Windows Servers and Workstation operating systems. Two of the Criticals apply to Hyper-V and could lead to RCE on the host system. Microsoft also issued and out-of-band patch in December for Internet Explorer 9 through 11 due to active attacks in the wild. Last week, Adobe also released out-of-band patches for Acrobat and Reader covering two Critical vulns.
Browser and Scripting Engine patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users. Four of the 7 critical vulns are for Chakra / Microsoft Edge and should be prioritized for these types of systems.
Out-of-band IE Patch
On December 19, Microsoft issued an out-of-band patch (CVE-2018-8653) for Internet Explorer 9 through 11 due to targeted active attacks against this vulnerability that were discovered in the wild. This patch should also be prioritized to all workstation-type devices.
Two of the vulns apply to Hyper-V, and could potentially lead to a VM escape. Microsoft does label these as “Exploitation Less Likely,” but Hyper-V hosts should still have these Critical patches prioritized.
Adobe released patches for Flash, but they do not contain security updates. However, security patches were released for Adobe Digital Editions and Adobe Connect, covering two Important CVEs. In addition, patches were released out-of-band last week for Acrobat and Reader, covering two Critical CVEs. These patches should be prioritized for workstation-type devices.