Microsoft Security Bulletin December 2019 released its monthly set of security updates today. The December 2019 Patch Tuesday fixed a total of 36 vulnerabilities in various products. 7 flaws are rated critical for Remote Code Execution and 28 are rated important. All the critical vulnerabilities lead to Remote Code Execution. The other bugs could allow an attacker to cause Denial of Service, Elevation of Privilege, Information Disclosure, Remote Code Execution, Security Feature Bypass or Spoofing.
CVE-2019-1458 : Active Exploitation Detected
Even though Patch Tuesday seems to be rather light for Microsoft this month, it did not run short of zero-days. According to Microsoft, CVE-2019-1458 is an elevation of privilege vulnerability in Windows when the Win32k component improperly handles objects in memory. Successful exploitation could allow an attacker to execute arbitrary code in kernel mode and take control of the system. However, an attacker would first need to log on to the system to carry out exploitation.
Microsoft reported that this vulnerability was actively exploited. Researchers have pointed out that CVE-2019-1458 has been used in conjunction with a Google Chrome Zero-Day as a part of Operation WizardOpium carried out by attackers last month. For more information refer to our blog here.
Critical Vulnerabilities
Five out of seven critical vulnerabilities (CVE-2019-1349, CVE-2019-1350, CVE-2019-1352, CVE-2019-1354 and CVE-2019-1387) are Remote Code Execution bugs in Git for Visual Studio alone. These issues arise due to improper sanitization of input in Git for Visual Studio. Successful attempt at exploitation could give an attacker complete access to the system. But, an attacker will first have to convince a user to clone a malicious repository to launch the attack. The updates have handled these vulnerabilities by correcting how Git for Visual Studio validates command-line input.
CVE-2019-1468 is a critical remote code execution vulnerability in Win32k Graphics which allows an attacker to take control of a system with commonly used attack techniques. With a little social engineering, an attacker can convince a user to view a specially crafted website which exploits the underlying vulnerability. A user can be tricked into clicking on links or opening malicious attachments delivered through emails or instant messaging platforms. This issue was addressed by correcting how the Windows font library handles embedded fonts.
Another impactful vulnerability to be considered is CVE-2019-1471, a flaw which exists when Windows Hyper-V on a host server improperly validates input from an authenticated user on a guest operating system. This vulnerability allows execution of arbitrary code on the host operating system, when a crafted file is run on the guest OS. A security researcher, Dustin Childs adds that with the increasing dependency of modern computing systems on virtualization, such bugs are more to be seen in the threat landscape.
Strangely, Microsoft released an advisory for a vulnerability (CVE-2019-1489) in Windows XP, which has reached end of life. CVE-2019-1489 is an information disclosure vulnerability in Windows Remote Desktop Protocol (RDP) due to improper handling of objects in memory. Successful exploitation would allow an attacker to gain sensitive information to further compromise the system.
Microsoft mentioned in the advisory,
Microsoft will not provide an update for this vulnerability because Windows XP is out of support. Microsoft strongly recommends upgrading to a supported version of Windows software
Microsoft security bulletin summary for December 2019:
- Microsoft Windows
- Internet Explorer
- Microsoft Office and Microsoft Office Services and Web Apps
- SQL Server
- Visual Studio
- Skype for Business
Product : Microsoft Windows
CVEs/Advisory : CVE-2019-1453, CVE-2019-1458, CVE-2019-1465, CVE-2019-1466, CVE-2019-1467, CVE-2019-1468, CVE-2019-1469, CVE-2019-1470, CVE-2019-1471, CVE-2019-1472, CVE-2019-1474, CVE-2019-1476, CVE-2019-1477, CVE-2019-1478, CVE-2019-1480, CVE-2019-1481, CVE-2019-1483, CVE-2019-1484, CVE-2019-1488, CVE-2019-1489
Severity : Critical
Impact : Denial of Service, Elevation of Privilege, Information Disclosure, Remote Code Execution, Security Feature Bypass
KBs : 4530681, 4530684, 4530689, 4530691, 4530692, 4530695, 4530698, 4530702, 4530714, 4530715, 4530717, 4530719, 4530730, 4530734
Product : Internet Explorer
CVEs/Advisory : CVE-2019-1485
Severity : Important
Impact : Remote Code Execution
KBs : 4530677, 4530681, 4530684, 4530689, 4530691, 4530695, 4530702, 4530714, 4530715, 4530717, 4530734
Product : Microsoft Office and Microsoft Office Services and Web Apps
CVEs/Advisory : CVE-2019-1400, CVE-2019-1461, CVE-2019-1462, CVE-2019-1463, CVE-2019-1464, CVE-2019-1490
Severity : Important
Impact : Denial of Service, Information Disclosure, Remote Code Execution, Spoofing
KBs : 4461590, 4461613, 4475598, 4475601, 4484094, 4484166, 4484169, 4484179, 4484180, 4484182, 4484184, 4484186, 4484190, 4484192, 4484193, 4484196, 4534761
Product : SQL Server
CVEs/Advisory : CVE-2019-1332
Severity : Important
Impact : Spoofing
Product : Visual Studio
CVEs/Advisory : CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387, CVE-2019-1486
Severity : Critical
Impact : Remote Code Execution, Spoofing, Tampering
Product : Skype for Business
CVEs/Advisory : CVE-2019-1490
Severity : Important
Impact : Spoofing
KBs : 4534761
SecPod Saner detects these vulnerabilities and automatically fixes it by applying security updates. Download Saner now and keep your systems updated and secure.