Patch Tuesday Briefing – November 2018
As a service to our customers, we post a monthly update when Patch Tuesday (second Tuesday of every month) rolls around. Below, you’ll find information about the new updates released from Microsoft and Adobe this month, and context that may be helpful as you prioritize the remediation of these newly released vulnerabilities. This month we’re adjusting our Patch Tuesday briefing format to focus on vulnerabilities that have been seen by Kenna’s sensor network in the past 6 months.
Three CVEs have been added to the “detected” list this month after being seen in the wild by Kenna’s sensor network: CVE-2018-8453, CVE-2018-8584, and CVE-2018-8589. All are local, elevation of privilege vulnerabilities affecting versions of Microsoft Windows.
- CVE-2018-8453 (released in October) was assigned to the vulnerability used by the “FruityArmor” group against targets in the Middle East over the last few months.
- CVE-2018-8584 (released in November cycle) was assigned to the ALPC vulnerability discovered by @sandboxescaper this month after being 0day’d in October.
- CVE-2018-8589(released in November cycle) was assigned to a previously unknown vulnerability, which is also now being used against targets in the Middle East.
At time of writing, a total of 10 CVEs released in the prior six Patch Tuesdays – July, August, September, October, November – have seen detection events in the wild by Kenna’s global threat telemetry:
- CVE-2018-5028 (released in July cycle)
- CVE-2018-12794 (released in July cycle)
- CVE-2018-8353 (released in August cycle)
- CVE-2018-8401 (released in August cycle)
- CVE-2018-8414 (released in August cycle)
- CVE-2018-8353 (released in September cycle)
- CVE-2018-8440 (released in September cycle)
- CVE-2018-8453 (released in October cycle)
- CVE-2018-8584 (released in November cycle)
- CVE-2018-8589 (released in November cycle)
These vulnerabilities comprise the known Microsoft and Adobe “Patch Tuesday” vulnerabilities known to be used by attackers in the wild since mid-July, and constitute a slightly less-than-2% rate of exploitation in the wild across all Adobe and Microsoft CVEs released in the last six months, consistent with the findings in our Prioritization to Prediction report.
We recommend organizations work to remediate all vulnerabilities released in the November update – particularly Adobe vulnerabilities and those marked critical by Microsoft, and that organizations focus first those vulnerabilities with detected events; an extremely strong indicator of risk to vulnerable organizations.
As always, Kenna risk scores are highly dynamic, and subject to adjustment based on new intelligence. To check the latest scoring and data, sign up here.