Fewer than 40 unique common vulnerabilities and exposures made December Patch Tuesday a light end to the year, but administrators still must address Microsoft security patches for a zero-day and public disclosure.
Microsoft fixed the zero-day vulnerability (CVE-2018-8611) through which attackers could run arbitrary code in Windows kernel through an elevation of privilege. Limiting privileges would not prevent the attack on any Windows versions and Windows Servers, said Chris Goettl, director of product management and security at Ivanti, based in South Jordan, Utah. The patch corrects how Windows kernel handles objects in memory and could give the attacker full access to the targeted system. Kaspersky Lab researchers Igor Soumenkov and Boris Larin discovered the vulnerability, which has been exploited in the wild.
To exploit the publicly disclosed denial-of-service vulnerability (CVE-2018-8517), attackers can send a specially crafted request to the web application remotely without authentication. The patch fixes how the .NET Framework handles the crafted web requests.
Additionally, prior to December Patch Tuesday, Adobe resolved two zero-day vulnerabilities in Flash (CVE-2018-15981 and CVE-2018-15982) for administrators to patch.
Uphill battle for Microsoft security patches in 2018
The Meltdown and Spectre vulnerabilities that emerged in January 2018 loomed large and persisted through the year. The security flaws affected most operating systems and many processors — Intel, AMD and ARM — and existed for approximately 20 years before their discovery. Microsoft patched the critical vulnerabilities, but initial mitigations caused blue-screen reboot issues.
“We will continue to see more and more variants until new chipsets are introduced that architect beyond these types of issues. There has to be a fundamental change created to put an end to this,” Goettl said.
Administrators may continue to endure faulty fixes and Spectre variants. In November, academics discovered seven new CPU attacks, including two Meltdown variants and five Spectre attack variations.
“One of the promises made by Microsoft in changing to this new update model was their ability to more easily deliver updates with less issue. I don’t think we’ve seen as good of a return on that part of the promise as advertised,” Goettl said.
Microsoft’s 2018 security updates beyond Meltdown and Spectre also frustrated administrators, who viewed Microsoft security patches as unreliable and the number of known issues difficult to follow. When some July patches caused startup problems in Windows desktop and server versions, Microsoft rolled back the updates and suggested Exchange customers delay their updates for the .NET Framework. Overall, Microsoft’s security patches this year, starting with Meltdown and Spectre fixes, often caused more problems than they solved.
“The number of known issues is too difficult for companies to follow, and this leads to administrators having to delay pushing updates out to environments,” Goettl said. “We need a better repository of known issues from all vendors. We need to crowdsource this type of information.”
Universal drivers show upcoming change
Intel may drive a fundamental change in Microsoft security patches in the upcoming year. Intel’s Windows Modern Drivers for Windows 10 and Windows Server 2019, released in November 2018, marks an evolution in how hardware drivers work. Microsoft distributed drivers through the Windows Update Services previously, but will require Windows Modern Drivers for Windows 10 version 1809 and later.
“Modern driver hardware is probably going to make it a lot easier in something like the Meltdown [or] Spectre situation to make sure that drivers get updated on systems much sooner,” Goettl said.
Chris Goettldirector of product management and security, Ivanti
Some released updates have known driver incompatibility issues. For example, when Intel releases a driver, it is sent to ISPs and partners such as Dell, Lenovo and HP, and each integrate it in their system. Microsoft and hardware vendors will push away from legacy hardware and make everything much more streamlined and easier to deliver through an update system, Goettl said.
The Intel Graphics Control Panel will automatically download and install when connected to the internet. This transitions driver updates away from the old update model and delivers them in a package easier for vendor consumption.
“Windows started to drop support for older CPU versions. I’m guessing the hardware vendors also are making a push to move away from a lot of the really old legacy hardware and make everything much more streamlined,” Goettl said.