Microsoft and Adobe delivered the November issue of Patch Tuesday with another hands-off package of security fixes to install as soon as possible.
The trick is to test and deploy patches before exploits are built to exploit vulnerabilities.
BitLocker Errors and TFTP Problems for Redmond
This month, Microsoft has eliminated the fixes for 62 vulnerabilities listed in CVE for Windows workstations and server editions, as well as Office, Edge, and Internet Explorer.
Among the 62 bugs are eight for the Chakra script engine in the Edge browser. Each of the vulnerabilities are remote code execution failures that, if exploited by a malicious web page, would allow the attacker to execute malware and execute actions on the infiltrated machine with the permission level of the logged on user. All are listed as Critical Hazards & # 39;
Obtaining the critical stamp was also CVE-2018-8476, a remote code execution failure in the TFTP (Trivial File Transfer Protocol) protocol. Jimmy Graham, director of product management at security company Qualys, says administrators who remotely install and manage Windows boxes over a network will want to pay close attention to this fix.
"Microsoft Windows Deployment Services (WDS) use TFTP to support image deployment through PXE boot," explained Graham.
"The patch for CVE-2018-8476 should be prioritized if WDS is used in your environment."
Remote code bugs have also been fixed in Microsoft Chart Component (CVE-2018-8553), Dynamics 365 (CVE-2018-8609), and Windows VBScript Engine (CVE-2018-8584).
Administrators must also ensure that they correct publicly disclosed errors of CVE-2018-8584 (a privilege escalation of publicly disclosed privilege in Windows ALPC), CVE-2018-8566 (encryption bypass in BitLocker), and CVE-2018-8589 ( a Win32k privilege elevation bug is already being directed in the wild).
Elsewhere, Microsoft has fixed two code-remote execution failures in Word (CVE-2018-8539, CVE-2018-8573), four cross-site scripting failures in Dynamics 365 (CVE-2018-8605, CVE-2018- 8606, CVE-2018-8607, CVE-2018-8608) a denial of service bug in Skype for Business (CVE-2018-8546) and two PowerShell bugs that could allow remote code execution (CVE-2018 -8256, CVE-2018-8415.)
Adobe publishes a trio of updates
Adobe has marked Patch Tuesday by releasing patches for three of its most popular products.
For Flash Player, the update will address CVE-2018-15978, an out-of-bounds reading failure that would potentially allow an attacker to view sensitive data.
For Acrobat and Reader, the November patch erases CVE-2018-15978, an information disclosure failure that would allow attackers to remove NTLM single sign-on password hashes. Proof code was posted for failure, but no attack was reported in the wild yet.
Finally, for Photoshop CC, an update will clear CVE-2018-15980, an out-of-bounds reading failure that would potentially allow for the disclosure of information. ®