Microsoft issued the December 2019 Security Updates that include 36 unique vulnerability fixes, 7 of those rated critical and 29 rated important. One of the patches addresses a Win32k vulnerability under active attack in the wild.
The security updates address vulnerabilities in multiple Microsoft products to include:
- Internet Explorer
- Microsoft Office and Microsoft Office Services and Web Apps
- Microsoft Windows
- Skype for Business
- SQL Server
- Visual Studio.
Microsoft has provided patches for the vulnerabilities for each of the CVEs summarized in the December 2019 Security Updates Release Notes.
Active exploit in the wild
Microsoft confirmed a Win32K elevation of privilege vulnerability CVE-2019-1458 is being exploited in the wild. The vulnerability is rated important and impacts multiple versions of Windows server and desktop OS.
“An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft warned in the advisory.
Organizations should prioritize this patch along with the critical vulnerabilities listed below.
Critical Remote Code Execution Vulnerabilities
All 7 of the critical patches address remote code execution (RCE) vulnerabilities for multiple product families to include Windows and Developer Tools.
Five of the critical RCE bugs impact Git for Visual Studio – CVE-2019-1349, CVE-2019-1350, CVE-2019-1352, CVE-2019-1354 and CVE-2019-1387.
Microsoft stated in each advisory that Git for Visual Studio improperly sanitizes input, which could result in remote code execution. However, an attacker would also need to convince the user to clone a malicious repo in order to exploit.
One of the other RCE vulnerabilities CVE-2019-1471 impacts Windows Hyper-V.
Microsoft said Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system.
The last of the remote code execution vulnerabilities CVE-2019-1468 exists in Win32k Graphics. The Windows font library improperly handles specially crafted embedded fonts, which could also result in remote code execution.
Of the other 29 vulnerabilities rated Important, 1 was related to Denial of Service, 5 Elevation of Privileges, 14 Information Disclosure, 4 Remote Code Execution, 1 Security Feature Bypass and 4 Spoofing.
Readers can also check out more vulnerability and patch details in Microsoft’s Security Update Guide.