Microsoft’s December 2018 patch Tuesday release includes fixes for several critical vulnerabilities including one in PowerPoint which affects all versions since PowerPoint 2010.

The PowerPoint bug (CVE-2018-8628) would allow an attacker to create a specially-crafted file, which when opened by PowerPoint, would enable the attacker to run arbitrary code as the logged-in user.   According to Microsoft:

“If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

With the Christmas season’s imminent arrival, many organisations see an increase in fun and light-hearted end of year emails.  This may make it more likely that staff could be tricked into opening an attachment in an email containing a malicious PowerPoint file and so fall victim to an attack. This is further complicated for those organisations that operate a change freeze during the Christmas peak processing season and so are forced to delay the installation of some patches.

Christmas Email Safety Reminder

Now would be an apposite time to remind your staff and users to take care before opening unexpected email attachments by asking themselves the following questions:

• Does the FROM email address domain match the usual address this sender uses?
• Does the CONTENT feel right – does the grammar and tone match the usual communications from this person?
• Am I EXPECTING this email and the attachment from the sender?
• Is the sender someone I TRUST and do they usually send me this kind of email?
• Is the email free from any promise of something EMBARRASSING, titillating or an implied THREAT if not opened?

If you cannot answer YES to these questions, do not open the attachment until you have spoken to the sender by phone to confirm the email is valid and safe.

December Patch Tuesday

Other notable vulnerabilities patched in the December Microsoft patch Tuesday update include:

CVE-2018-8611– This zero day flaw in the Windows Kernel is already being exploited and allows an attacker to escalate their privilege on a host system running Windows 7 through 10 or Windows Server. This means any logged in user could use a specially crafted application to gain administrator privileges on the host system.

A remote code execution vulnerability in Internet Explorer (CVE-2018-8631) and Microsoft Edge (CVE-2018-8624) could allow an attacker to gain access to the users system with the same access rights as the logged in user simply by getting the user to visit a malicious or compromised web site.  The vulnerability allows arbitrary code to be executed on the users Windows computer.

Security breaches typically happen when several vulnerabilities are exploited, forming stepping stones which transport the attacker from the internet to your valuable internal systems.  What initially appear to be trivial vulnerabilities can be used to leverage more dangerous actions by an attacker.

For example, using just the vulnerabilities described above an attacker could trick a member of staff in your organisation to visit a malicious website through social engineering or a fraudulent spam email.  Then exploiting the Internet Explorer vulnerability described above, the attacker is able to execute code on the users workstation.  You may think this is a trivial risk as none of your users have administrator privileges and so are not able to change their system settings or install applications. However, the arbitrary code that is executed exploits the Windows Kernel vulnerability described above and now the attacker is able to use the host system with administrator privileges and leverage this to attack other devices on your network.

All of the updates mentioned in this article are fixing problems with how the code in question handles objects stored in memory and the vulnerabilities could corrupt the memory in such a way that an attacker could execute arbitrary code.

For more information on the patches included in the Microsoft December update, see the release notes: https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/6c54acc6-2ed2-e811-a980-000d3a33a34d