It's the last Patch Tuesday of 2018! As is often the case in December, it's a relatively light one with "only" 38 CVEs. (Every other month in 2018 clocked in with at least 50 patched vulnerabilities.) This is in addition to the two Adobe Flash CVEs that were patched out-of-band last week, due to a remote code execution (RCE) vulnerability being actively exploited. Speaking of 0-days, a privilege escalation bug patched today has also been seen exploited in the wild (CVE-2018-8611). There's also a fix for a denial of service vulnerability in web applications built with .NET Framework (CVE-2018-8517) which was publicly disclosed before today, but no reports of exploitation yet. Nine of this month's CVEs are considered Critical, and the rest Important.

The mix of affected products is fairly standard, with most fixes being browser-related and a handful of Office patches. The most critical this month is server side: CVE-2018-8626 is an RCE against Windows DNS Server which could allow an unauthenticated attacker to run arbitrary code by issuing a malicious request to the server. Other server-side fixes include SharePoint (two CVEs), Exchange Server 2016 (CVE-2018-8604, a tampering vulnerability that allows a targeted user's profile data to be modified by an authenticated but unauthorized attacker), and Microsoft Dynamics NAV (a spoofing vulnerability that could allow cross-site scripting attacks).

Notable vulnerabilities this month on the client side are an RCE in Internet Explorer (CVE-2018-8631) and another in Edge (CVE-2018-8624), both of which Microsoft considers most likely to be exploited. Similarly, CVE-2018-8628 is an RCE in all supported versions of PowerPoint which is also likely to be used by attackers.

In other Adobe news, new versions of Acrobat and Reader were released today that fix 87 separate vulnerabilities. 39 of these are considered Critical, as they can result in arbitrary code execution. It might seem like a lot (and I wouldn't disagree) but it's not unusual as Acrobat releases go. The massive attack surface represented by Acrobat and Reader means it is crucial to stay up-to-date. May all your patching be merry!

Vulnerability Count by Component

Vulnerability Count by Impact

Vulnerability Count by Severity

CVSSv3 Base Score Distribution
Note: not all CVEs had CVSSv3 data available at the time of writing