Microsoft issued the November 2018 Security Updates that include 62 unique vulnerability fixes, 12 of them rated critical.
The security updates address vulnerabilities in multiple Microsoft products to include: Windows, Edge, Office, Office Services and Web Apps, ChakraCore, .NET Core, PowerShell Core, Team Foundation Server, Skype for Business and Azure App Service on Azure Stack.
One of the critical patches addresses a zero-day Windows Win32k Elevation of Privilege Vulnerability (CVE-2018-8589).
According to Microsoft, this vulnerability is more likely to be exploited and summarized the threat:
“An elevation of privilege vulnerability exists when Windows improperly handles calls to Win32k.sys…An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Other updates to take note of include a Windows Deployment Services TFTP Server Remote Code Execution (RCE) vulnerability (CVE-2018-8476) and a Microsoft Dynamics RCE bug (CVE-2018-8609).
The TFTP RCE vulnerability is also highly likely to be exploited, according to Microsoft.
Also, a number of workstation related vulnerabilities could be exploited via browsers or opening up malicious files.
See the Security Update Guide and November summary release notes for more details on all patches.