Microsoft rolled out its security updates for December on Tuesday. For the fourth month in a row, the Redmond-based company had to intervene to stop a zero-day leak being abused in the wild.
A total of 38 vulnerabilities have been resolved, nine of which are critical according to Microsoft. The most important reason to update as soon as possible is a new zero-day leak that is already being abused in the wild and is being solved by Microsoft with this patch.
It is the fourth month in a row that an actively abused zero-day leak in Windows has to be plugged on Patch Tuesday. As in the past two months, this is a vulnerability that is known to be used by state cyber-espionage groups to break into systems.
The new zero-day (CVE-2018-8611) allows an attacker to execute improper code in kernel mode. He can then install programs on the affected system, view and manipulate data, or create new accounts with full user rights.
Microsoft emphasizes that an attacker must first enter a system to be able to execute the code, but that in itself is not so difficult, especially for a state based hacker group.
The zero day was discovered by researchers from Kaspersky Lab, which also revealed zero days in Windows in November and October. As far as is known, the zero-day leak that Microsoft closed in September was not abused by state-related actors, but by regular cyber criminals.
Microsoft’s December update round also includes a solution for a zero-day in Flash, which was discovered last week and is also being abused by a national cyber-espionage group.our launch article.