Hello, welcome to the Wednesday, December 12, 2018 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich.

And then I'm recording from Jacksonville, Florida.

And well, it's a patched Tuesday, so let's start with this Microsoft patched 39 vulnerabilities, 10 of which are rated critical.

Now, one of the critical vulnerabilities was Adobe's Flash Update, which was already

released last week, so this just rolls this into the normal monthly update cycle.

In addition to this Flash War on flash vulnerability, which was apparently used

against some hospital in Russia, Microsoft also patched a Windows kernel elevation of bridge

vulnerability that also was already used in the wild. In addition, there was a dot-net framework

denial of service vulnerability that also was already

disclosed but hasn't really been seen in active exploits yet.

Now the big winner here as usual is the chakra scripting engine.

It accounts for five of the critical vulnerabilities. The Chakra scripting engine is, of course,

Microsoft scripting engine that you find in browsers. So all of these vulnerabilities are accessible

via malicious content in your web browser. The one vulnerability I don't really have seen much about, but I think that you should

probably pay attention to is the Windows DNS server heap overflow vulnerability.

That's CVE 2018-8626.

Microsoft rate is critical with a CVSS score of 9.8, but considers exploitation less likely.

Now, as far as patching priorities go, well, I would certainly prioritize all of these browser

and scripting vulnerabilities, and like I said, watch your DNS servers probably expedite that particular patch a little bit.

Now with Adobe already releasing this flash update last week, they only had Adobe Acrobat

and Reader Patch for today.

...