December 2019 Patch Tuesday: Microsoft fixes one actively exploited zero-day

For December 2019 Patch Tuesday, Microsoft and Adobe have released the final scheduled security updates for this year, Intel has fixed Plundervolt, and Google has delivered fixes and new and expanded security features for Chrome.

December 2019 Patch Tuesday

Microsoft’s fixes

Microsoft’s security releases are for Windows, Internet Explorer, SQL Server, Visual Studio, Hyper-V Server, Office and Office Services and Web App.

All in all, the company fixed just 36 CVE-numbered flaws. Of these, seven are critical, 28 important and one of moderate severity.

Only one (CVE-2019-1458) is being actively exploited by attackers. Since it’s been flagged by Kaspersky, Trend Micro’s Zero Day Initiative’s Dustin Childs posits that it might be used in conjunction with a recently revealed Chrome use-after-free bug to achieve a sandbox escape.

Other vulnerabilities of note this time around are CVE-2019-1471, a Windows Hyper-V bug that could allow a user on a guest OS to execute arbitrary code on the underlying host OS, and five critical remote code execution vulnerabilities affecting Git for Visual Studio (development environment), which could allow attackers to take over a system – but only if they can convince a user to clone a malicious repository.

According to Richard Melick, Senior Technology Product Manager at Automox, that might not be so difficult.

“By running intelligence gathering in channels like LinkedIn and job listings, an attacker could learn about an organization’s use of Visual Studio and the details of the open-source projects in play. From there, entry into the network could come through a common phishing email technique to the engineering for help troubleshooting a compatibility issue with their open-source software, providing a link to the Git repository, or even for an interview as an example of previous work. The engineering team would then download the malicious repo, allowing the malicious code to execute, giving attacker access,” he told Help Net Security.

Childs also singled out CVE-2019-1485, a remote code execution vulnerability affecting the VBScript engine.

This is a browse-and-own bug, he noted, and advised enterprise administrators to implement the offered IE updates as soon as possible if they have IE in their enterprise.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability,” Microsoft explained.

Finally, an interesting but not critical bypass vulnerability affecting Microsoft Defender (CVE-2019-1488) may be exploited by attackers to flood an enterprise’s security team with warnings and false-positive alerts, possibly to hide legitimate alerts triggered by a wider ongoing attack. To exploit the vulnerability, though, they would first require execution permissions on the victim system.

Microsoft has also released servicing stack updates for each operating system it supports and a security advisory explaining how to clean up orphaned keys generated on vulnerable TPMs and used for Windows Hello for Business (WHfB), but not automatically deleted when the device they were created on is no longer present.

“An authenticated attacker could obtain orphaned keys created on TPMs that were affected by CVE-2017-15361 (ROCA), discussed in Microsoft Security Advisory ADV170012 to compute their WHfB private key from the orphaned public keys,” the company warned.

“The attacker could then impersonate the user by using the stolen private key to authenticate as the user within the domain using Public Key Cryptography for Initial Authentication (PKINIT). This attack is possible even if firmware and software updates have been applied to TPMs that were affected by CVE-2017-15361 because the corresponding public keys might still exist in Active Directory.”

The company also made sure to remind users of Windows 7 and Windows Server 2008 R2 that they’ll no longer be receiving updates after January 14, 2020, and urged them to update any computers running these two OSes to newer, supported versions.

Adobe’s fixes

As pre-announced last week, Adobe has released security updates for Adobe Acrobat and Reader, for Windows and macOS.

Most of the fixed vulnerabilities are critical, including a security bypass flaw (CVE-2019-16453), and all could be exploited to achieve arbitrary code execution. The flaws rated “important” include a set of information disclosure bugs and one that could be used to escalate privileges on the underlying system.

The Photoshop CC updates for Windows and macOS fix two critical memory corruption flaws that could lead to code execution.

The security updates for Brackets, Adobe’s free and open-source source code editor, are available for Windows, macOS and Linux users and plug a critical command injection hole discovered by Google Project Zero researcher Tavis Ormandy (CVE-2019-8255).

There’s one final security update for ColdFusion version 2018, which resolves an  important vulnerability  that could lead to privilege escalation.   

There are no security update for Adobe Flash this time.

Intel’s fixes

Intel has released eleven security advisories and addressed twelve CVE-numbered flaws in a variety of its offerings.

Among these is CVE-2019-11157, an improper conditions check in voltage settings for some Intel Processors, which could be exploited remotely to access sensitive data stored in their secure enclave (SGX).

The attack, dubbed Plundervolt, has been detailed by the researchers who found the issue and reported it.

“Intel has worked with system vendors to develop a microcode update that mitigates the issue by locking voltage to the default settings. We are not aware of any of these issues being used in the wild, but as always, we recommend installing security updates as soon as possible. Your computer manufacturer is the best source to obtain most updates from,” Intel noted.

Chrome 79

Coinciding with the December 2019 Patch Tuesday, Google has released the newest version (v79) of its popular Chrome browser.

It brings a number of security fixes, but also new and expanded security features like:

  • Incorporated Password Checkup, to warn users if their username and password have been compromised in a data breach on some site or app
  • Improved Google Safe Browsing, which now provides real-time phishing protection on the desktop
  • Predictive phishing protection – warns users if they enter their Google Account password into a site that they suspect of phishing, and does the same for for all the passwords users store in Chrome’s password manager.

Don't miss