Adobe and Microsoft each released updates today to tackle critical security weaknesses in their software. Microsoft’s December patch batch is relatively light, addressing more than three dozen vulnerabilities in Windows and related applications. Adobe has issued security fixes for its Acrobat and PDF Reader products, and has a patch for yet another zero-day flaw in Flash Player that is already being exploited in the wild.
At least nine of the bugs in the Microsoft patches address flaws the company deems “critical,” meaning they can be exploited by malware or ne’er-do-wells to install malicious software with little or no help from users, save for perhaps browsing to a hacked or booby-trapped site.
Microsoft patched a zero-day flaw that is already being exploited (CVE-2018-8611) and allows an attacker to elevate their privileges on a host system. The weakness, which is present on all support versions of Windows, is tagged tagged with the less severe “important” rating by Microsoft mainly because it requires an attacker to be logged on to the system first.
According to security firm Rapid7, other notable vulnerabilities this month are in Internet Explorer (CVE-2018-8631) and Edge (CVE-2018-8624), both of which Microsoft considers most likely to be exploited. Similarly, CVE-2018-8628 is flaw in all supported versions of PowerPoint which is also likely to be used by attackers.
It generally can’t hurt for Windows users to wait a day or two after Microsoft releases monthly security updates before installing the fixes; occasionally buggy patches can cause serious headaches for users who install them before all the kinks are worked out. Also, it’s a good idea to get in the habit of backing up your data before installing Windows updates.
Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.
For its part, Adobe’s got new versions of Adobe Reader and Adobe Acrobat that plug dozens of security holes in the programs. Also, last week Adobe issued an emergency patch to fix a zero-day flaw in Flash Player that bad guys are now using in active attacks.
Fortunately, the most popular Web browser by a long shot — Google Chrome — auto-updates Flash but also is now making users explicitly enable Flash every time they want to use it (Microsoft also bundles Flash with IE/Edge and updates it whenever Windows systems install monthly updates). By the summer of 2019 Google will make Chrome users go into their settings to enable it every time they want to run it.
Firefox also forces users with the Flash add-on installed to click in order to play Flash content; instructions for disabling or removing Flash from Firefox are here. Adobe will stop supporting Flash at the end of 2020.
As always, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.
Ghacks writeup on December 2018 Patch Tuesday.