Microsoft issued the November 2019 Security Updates that include 74 unique vulnerability fixes, 13 of those rated critical. In addition, Microsoft provided guidance for a vulnerability CVE-2019-16863 in Trusted Platform Module (TPM).
The security updates include fixes for vulnerabilities in multiple Microsoft products to include:
- Azure Stack
- ChakraCore
- Internet Explorer
- Microsoft Edge (EdgeHTML-based)
- Microsoft Exchange Server
- Microsoft Office and Microsoft Office Services and Web Apps
- Microsoft Windows
- Open Source Software
- Visual Studio.
Microsoft has provided patches for the vulnerabilities for each of the CVEs summarized in the November 2019 Security Updates Release Notes.
Critical Remote Code Execution Vulnerabilities
All 13 of the critical patches address remote code execution (RCE) vulnerabilities for multiple product families to include Windows, Browser, Exchange and Development Tools.
Microsoft confirmed a Scripting Engine Memory Corruption Vulnerability CVE-2019-1429 is being exploited in the wild and impacts Internet Explorer. To add, Microsoft said a VBScript Remote Code Execution Vulnerability CVE-2019-1390 is “more likely” to be exploited.
Four of the RCE vulnerabilities impact Windows Hyper-V: CVE-2019-0721, CVE-2019-1389, CVE-2019-1397 and CVE-2019-1398. Microsoft warns that an attacker could run a specially crafted application on a guest operating system that could then cause the Hyper-V host operating system to execute arbitrary code.
In addition, a remote code execution vulnerability CVE-2019-1373 exists in Microsoft Exchange through the deserialization of metadata via PowerShell.
Of the vulnerabilities rated Important, 6 were related to Denial of Service, 28 Elevation of Privileges, 16 Information Disclosure, another 3 Remote Code Execution, 6 Security Feature Bypass and 3 Spoofing.
TPM vulnerability
Microsoft also published an advisory for a security vulnerability CVE-2019-16863 that exists in certain Trusted Platform Module (TPM) chipsets.
“The vulnerability weakens key confidentiality protection for a specific algorithm (ECDSA). It is important to note that this is a TPM firmware vulnerability, and not a vulnerability in the Windows operating system or a specific application. Currently no Windows systems use the vulnerable algorithm,” Microsoft stated in the security advisory ADV190024 .
Microsoft added that the bug is present in specific vendor’s TPM firmware based on Trusted Computing Guidelines (TCG) specification family 2.0. It was further stated that some third party software may rely on TPM-generated keys and would subsequently be impacted by the TPM vulnerability.
Readers can also check out more vulnerability and patch details in Microsoft’s Security Update Guide.