Information Security News |
This month we got patches for 36 vulnerabilities total. From those, seven are rated critical and one is already being exploited according to Microsoft.
The exploited vulnerability (CVE-2019-1458) may allow a local attacker to elevate privileges and run arbitrary code in kernel mode. This vulnerability was reported by Kaspersky Labs and, according to Zero Day Initiative (ZDI) [1], Kaspersky also reported a UAF vulnerability in Google Chrome web browser [2] early November this year. When Chrome bug became public, there were speculations that it was being used in conjunction with a Windows Kernel bug to escape the sandbox. According to ZDI, while its not confirmed CVE-2019-1458 is connected to Chrome attacks, this is the type of bug that could be used to perform a sandbox escape.
Amongst critical vulnerabilities, it worth mentioning CVE-2019-1471 a Windows Hyper-V Remote Code Execution Vulnerability. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.
See Renato's dashboard for a more detailed breakout: https://patchtuesdaydashboard.com
December 2019 Security Updates
December 2019 Security Updates
| Description | |||||||
|---|---|---|---|---|---|---|---|
| CVE | Disclosed | Exploited | Exploitability (old versions) | current version | Severity | CVSS Base (AVG) | CVSS Temporal (AVG) |
| Git for Visual Studio Remote Code Execution Vulnerability | |||||||
| %%cve:2019-1349%% | N | N | - | - | Critical | ||
| %%cve:2019-1350%% | N | N | - | - | Critical | ||
| %%cve:2019-1352%% | N | N | - | - | Critical | ||
| %%cve:2019-1354%% | N | N | - | - | Critical | ||
| %%cve:2019-1387%% | N | N | - | - | Critical | ||
| Git for Visual Studio Tampering Vulnerability | |||||||
| %%cve:2019-1351%% | N | N | - | - | Moderate | ||
| Latest Servicing Stack Updates | |||||||
| ADV990001 | N | N | - | - | Critical | ||
| Microsoft Access Information Disclosure Vulnerability | |||||||
| %%cve:2019-1400%% | N | N | - | - | Important | ||
| %%cve:2019-1463%% | N | N | - | - | Important | ||
| Microsoft Authentication Library for Android Information Disclosure Vulnerability | |||||||
| %%cve:2019-1487%% | N | N | - | - | Important | ||
| Microsoft Defender Security Feature Bypass Vulnerability | |||||||
| %%cve:2019-1488%% | N | N | - | - | Important | 3.3 | 3.0 |
| Microsoft Excel Information Disclosure Vulnerability | |||||||
| %%cve:2019-1464%% | N | N | - | - | Important | ||
| Microsoft Guidance for cleaning up orphaned keys generated on vulnerable TPMs and used for Windows Hello for Business | |||||||
| ADV190026 | N | N | - | - | - | ||
| Microsoft PowerPoint Remote Code Execution Vulnerability | |||||||
| %%cve:2019-1462%% | N | N | - | - | Important | ||
| Microsoft SQL Server Reporting Services XSS Vulnerability | |||||||
| %%cve:2019-1332%% | N | N | - | - | Important | ||
| Microsoft Word Denial of Service Vulnerability | |||||||
| %%cve:2019-1461%% | N | N | Less Likely | Less Likely | Important | ||
| Remote Desktop Protocol Information Disclosure Vulnerability | |||||||
| %%cve:2019-1489%% | N | N | - | - | Important | ||
| Skype for Business Server Spoofing Vulnerability | |||||||
| %%cve:2019-1490%% | N | N | - | - | Important | ||
| VBScript Remote Code Execution Vulnerability | |||||||
| %%cve:2019-1485%% | N | N | - | - | Important | 7.5 | 6.7 |
| Visual Studio Live Share Spoofing Vulnerability | |||||||
| %%cve:2019-1486%% | N | N | - | - | Important | ||
| Win32k Elevation of Privilege Vulnerability | |||||||
| %%cve:2019-1458%% | Y | Y | - | - | Important | 7.8 | 7.2 |
| Win32k Graphics Remote Code Execution Vulnerability | |||||||
| %%cve:2019-1468%% | N | N | - | - | Critical | 8.4 | 7.6 |
| Win32k Information Disclosure Vulnerability | |||||||
| %%cve:2019-1469%% | N | N | - | - | Important | 5.5 | 5.0 |
| Windows COM Server Elevation of Privilege Vulnerability | |||||||
| %%cve:2019-1478%% | N | N | - | - | Important | 7.8 | 7.0 |
| Windows Elevation of Privilege Vulnerability | |||||||
| %%cve:2019-1476%% | N | N | - | - | Important | 7.8 | 7.0 |
| %%cve:2019-1483%% | N | N | - | - | Important | 7.8 | 7.0 |
| Windows GDI Information Disclosure Vulnerability | |||||||
| %%cve:2019-1465%% | N | N | - | - | Important | 5.5 | 5.0 |
| %%cve:2019-1466%% | N | N | - | - | Important | 5.5 | 5.0 |
| %%cve:2019-1467%% | N | N | - | - | Important | 5.5 | 5.0 |
| Windows Hyper-V Information Disclosure Vulnerability | |||||||
| %%cve:2019-1470%% | N | N | - | - | Important | 6.0 | 5.4 |
| Windows Hyper-V Remote Code Execution Vulnerability | |||||||
| %%cve:2019-1471%% | N | N | - | - | Critical | 8.2 | 7.4 |
| Windows Kernel Information Disclosure Vulnerability | |||||||
| %%cve:2019-1472%% | N | N | - | - | Important | 5.5 | 5.0 |
| %%cve:2019-1474%% | N | N | - | - | Important | 5.5 | 5.0 |
| Windows Media Player Information Disclosure Vulnerability | |||||||
| %%cve:2019-1480%% | N | N | - | - | Important | 5.5 | 5.0 |
| %%cve:2019-1481%% | N | N | - | - | Important | 5.5 | 5.0 |
| Windows OLE Remote Code Execution Vulnerability | |||||||
| %%cve:2019-1484%% | N | N | - | - | Important | 7.8 | 7.0 |
| Windows Printer Service Elevation of Privilege Vulnerability | |||||||
| %%cve:2019-1477%% | N | N | - | - | Important | 7.8 | 7.0 |
| Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability | |||||||
| %%cve:2019-1453%% | N | N | Less Likely | Less Likely | Important | 7.5 | 6.7 |
[1] https://www.zerodayinitiative.com/blog/2019/12/10/the-december-2019-security-update-review
[2] https://www.kaspersky.com/blog/google-chrome-zeroday-wizardopium/29126/
--
Renato Marinho
Morphus Labs| LinkedIn|Twitter