Microsoft Fixes 11 Critical, 39 Important Vulns

  /     /     /  
Publicated : 22/11/2024   Category : security


Microsoft Fixes 11 Critical, 39 Important Vulns


The most critical vulnerability, experts say, affects Windows Domain Name Systems, while another lets attackers hack Cortana from the lock screen.



Another month, another Patch Tuesday update. Microsoft today released 50 security fixes for problems in ChakraCore, Hyper-V Server, Windows, Microsoft Office, and Office Services. Of these, 11 are rated as Critical severity and 39 are ranked Important.
None of the bugs were under active attack at the time fixes were released, though one was publicly known.
CVE-2018-8267
, a scripting engine memory corruption vulnerability, is considered Critical and could corrupt memory in a way that a successful attacker could gain the rights of a current user and assume control over an affected system.
Microsoft also released updates for Speculative Store Bypass, otherwise known as Spectre Variant 4,
discovered
in May. Todays
patches
provide Windows support for Speculative Store Bypass Disable (SSBD) for Intel processors but require microcode/firmware and registry updates to fully protect against Variant 4.
Security pros point to the importance of CVE-2018-8225, a Windows DNSAPI remote code execution vulnerability that clearly wins for most critical this month, according to researchers at Trend Micros Zero-Day Initiative (ZDI). The flaw exists in the Windows Domain Name System (DNS) when it fails to properly handle DNS responses.
If successfully exploited, the bug could let someone run arbitrary code in the context of the Local System Account. An attacker would have to use a malicious DNS server to transmit corrupted DNS responses to the target, Microsoft
explains
. They could try to man-in-the-middle a legitimate query or trick a DNS server into querying a malicious server. It can be done from the command line or scripted, ZDI researchers explain.
This means there’s a SYSTEM-level bug in a listening service on critical infrastructure servers, which also means this is wormable, they
explain
. Patch Now doesnt even seem forceful enough. I have the sense well be hearing about this bug for a while.
Another critical bug worth noting is
CVE-2018-8231
, an HTTP protocol stack remote code execution vulnerability affecting the Web server component http.sys. An attacker could use code execution to remotely send a malformed packet to a target server and execute code with the same level of privilege as http.sys.
An interesting, though not critical, vulnerability in Windows 10 lets attackers bypass the lock screen through a default configuration for Cortana. Microsofts voice assistant lets anyone interact by saying Hey, Cortana while the device is locked, McAfee researchers
discovered
.
CVE-2018-8140 could let an attacker execute commands via mouse, touchpad, or touchscreen to access data. If youre close enough to a machine to speak with Cortana, youre close enough to query a full menu of documents and execute programs with elevated privileges. Physical access is needed to exploit CVE-2018-8140, and experts dont think remote attacks are likely. However, the bug is worth noting as people bring voice assistants into their homes and offices.
Related Content:
Adobe Issues Emergency Patch for Flash Zero-Day
New Hack Weaponizes the Web Cache
10 Open Source Security Tools You Should Know
MacOS Bypass Flaw Lets Attackers Sign Malicious Code as Apple
 
Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for 
more information

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Fixes 11 Critical, 39 Important Vulns