It's November 2018, and Microsoft's super-secure Edge browser can be pwned eight different ways by a web page
Look, we're tired of doing these headlines too, but there's patching to do
Microsoft and Adobe have delivered the November edition of Patch Tuesday with another sizable bundle of security fixes to install as soon as you're able to.
The trick is to test and deploy the fixes before exploits are developed to leverage the vulnerabilities.
BitLocker bugs and TFTP troubles for Redmond
This month, Microsoft has kicked out fixes for 62 CVE-listed vulnerabilities for both its workstation and server editions of Windows as well as Office, Edge and Internet Explorer.
Among the 62 bugs are eight for the Chakra scripting engine in the Edge browser. Each of the vulnerabilities are remote code execution flaws that, if exploited by a malicious web page, would allow the attacker to run malware, and perform actions on the infiltrated machine with the permission level of the logged-in user. All are listed as 'critical' risks.
Also earning the critical label was CVE-2018-8476, a remote code execution flaw in Trivial File Transfer Protocol (TFTP). Jimmy Graham, director of product management at security firm Qualys, says admins who remotely install and manage Windows boxes over a network will want to pay close attention to that fix.
"Microsoft’s Windows Deployment Services (WDS) uses TFTP to support image deployment via PXE booting," Graham explained.
"The patch for CVE-2018-8476 should be prioritized if WDS is used in your environment."
Admins will also want to be sure they patch the publicly disclosed bugs from CVE-2018-8584 (a publicly disclosed privilege escalation flaw in Windows ALPC), CVE-2018-8566 (encryption bypass in BitLocker), and CVE-2018-8589 (a Win32k elevation of privilege bug already being targeted in the wild).
Elsewhere, Microsoft patched two remote code execution flaws in Word (CVE-2018-8539, CVE-2018-8573), four cross-site scripting flaws in Dynamics 365 (CVE-2018-8605, CVE-2018-8606, CVE-2018-8607, CVE-2018-8608 ) a denial of service bug in Skype for Business (CVE-2018-8546), and two PowerShell bugs that could allow remote code execution (CVE-2018-8256, CVE-2018-8415.)
Adobe posts a trio of updates
Adobe marked Patch Tuesday by releasing fixes for three of its most popular products.
For Flash Player, the update will address CVE-2018-15978, an out-of-bounds read flaw that would potentially allow an attacker to see sensitive data.
For Acrobat and Reader, November's patch clears up CVE-2018-15978, an information disclosure flaw that would allow attackers to lift NTLM single sign-on password hashes. Proof-of-concept code has been posted for the flaw, but no attacks have been reported in the wild yet.
Finally, for Photoshop CC an update will clear up CVE-2018-15980, an out of bounds read flaw that would potentially allow information disclosure. ®