Microsoft has released today the December 2019 Patch Tuesday security updates. This month's updates include fixes for 36 vulnerabilities, including a zero-day in the Windows operating system that has been exploited in the wild.
"An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory," Microsoft said in a security advisory today.
"An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode," it added. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Microsoft credited security researchers from Kaspersky Lab with discovering the zero-day, which it tracks as CVE-2019-1458.
Dustin Childs, a member of Trend Micro's Zero Day Initiative (ZDI), believes this Windows zero-day is connected to a zero-day that Google patched in Chrome at the end of October (namely CVE-2019-13720).
"[Kaspersky] reported a UAF in Chrome that was under active exploit," Childs said. "When that [Chrome] bug became public, there was speculation it was being paired with a Windows kernel bug to escape the sandbox.
"While it's not confirmed this patch is connected to those Chrome attacks, this is the type of bug one would use to perform a sandbox escape," he added.
According to Kaspersky, the Chrome zereo-day was being used by a hacker group called WizardOpium to lure users on malicious sites, where they'd use the Chrome zero-day to infect them with malware.
Following this article's publication, Kaspersky confirmed Childs' theory in a blog post that officially linked the two zero-days.
Other fixes
In total, Microsoft fixed 36 security bugs this month, of which only seven were rated critical. This is Microsoft's smallest Patch Tuesday update this year, and one of the lightest in the past three years.
Other important bugs patched this month that pose a serious risk of being used in malware campaigns or targeted attacks are CVE-2019-1468 (a remote code execution in the Win32k component) and CVE-2019-1471 (a remote code execution bug in the Windows Hyper-V virtualization toolkit).
Besides Windows, other products that received fixes include SQL Server, Visual Studio, Skype for Business, Microsoft Office, and Microsoft Office Services and Web Apps.
Additional useful Patch Tuesday information is below:
- Microsoft's official Security Update Guide portal lists all security updates in a filterable table.
- ZDNet also put together this page listing all security updates on one single page, in one place.
- Additional analysis of today's Patch Tuesday is also available from Cisco Talos, SANS ISC, Tenable, and Trend Micro.
- This month's Adobe security updates are detailed here.
- SAP security updates are detailed here.
- Intel security updates are available here.
- The Android Security Bulletin for December 2019 is detailed here. Patches started rolling out to users' phones last week.
- A new version of Google Chrome has also been released today.
- Apple has also released today security updates for iOS and iPadOS 13.3.
| Tag | CVE ID | CVE Title |
|---|---|---|
| Servicing Stack Updates | ADV990001 | Latest Servicing Stack Updates |
| | ADV190026 | Microsoft Guidance for cleaning up orphaned keys generated on vulnerable TPMs and used for Windows Hello for Business |
| End of Life Software | CVE-2019-1489 | Remote Desktop Protocol Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2019-1465 | Windows GDI Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2019-1468 | Win32k Graphics Remote Code Execution Vulnerability |
| Microsoft Graphics Component | CVE-2019-1466 | Windows GDI Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2019-1467 | Windows GDI Information Disclosure Vulnerability |
| Microsoft Office | CVE-2019-1400 | Microsoft Access Information Disclosure Vulnerability |
| Microsoft Office | CVE-2019-1464 | Microsoft Excel Information Disclosure Vulnerability |
| Microsoft Office | CVE-2019-1461 | Microsoft Word Denial of Service Vulnerability |
| Microsoft Office | CVE-2019-1462 | Microsoft PowerPoint Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2019-1463 | Microsoft Access Information Disclosure Vulnerability |
| Microsoft Scripting Engine | CVE-2019-1485 | VBScript Remote Code Execution Vulnerability |
| Microsoft Windows | CVE-2019-1453 | Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability |
| Microsoft Windows | CVE-2019-1476 | Windows Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2019-1477 | Windows Printer Service Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2019-1474 | Windows Kernel Information Disclosure Vulnerability |
| Microsoft Windows | CVE-2019-1478 | Windows COM Server Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2019-1483 | Windows Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2019-1488 | Microsoft Defender Security Feature Bypass Vulnerability |
| Open Source Software | CVE-2019-1487 | Microsoft Authentication Library for Android Information Disclosure Vulnerability |
| Skype for Business | CVE-2019-1490 | Skype for Business Server Spoofing Vulnerability |
| SQL Server | CVE-2019-1332 | Microsoft SQL Server Reporting Services XSS Vulnerability |
| Visual Studio | CVE-2019-1350 | Git for Visual Studio Remote Code Execution Vulnerability |
| Visual Studio | CVE-2019-1349 | Git for Visual Studio Remote Code Execution Vulnerability |
| Visual Studio | CVE-2019-1486 | Visual Studio Live Share Spoofing Vulnerability |
| Visual Studio | CVE-2019-1387 | Git for Visual Studio Remote Code Execution Vulnerability |
| Visual Studio | CVE-2019-1354 | Git for Visual Studio Remote Code Execution Vulnerability |
| Visual Studio | CVE-2019-1351 | Git for Visual Studio Tampering Vulnerability |
| Visual Studio | CVE-2019-1352 | Git for Visual Studio Remote Code Execution Vulnerability |
| Windows Hyper-V | CVE-2019-1471 | Windows Hyper-V Remote Code Execution Vulnerability |
| Windows Hyper-V | CVE-2019-1470 | Windows Hyper-V Information Disclosure Vulnerability |
| Windows Kernel | CVE-2019-1472 | Windows Kernel Information Disclosure Vulnerability |
| Windows Kernel | CVE-2019-1458 | Win32k Elevation of Privilege Vulnerability |
| Windows Kernel | CVE-2019-1469 | Win32k Information Disclosure Vulnerability |
| Windows Media Player | CVE-2019-1480 | Windows Media Player Information Disclosure Vulnerability |
| Windows Media Player | CVE-2019-1481 | Windows Media Player Information Disclosure Vulnerability |
| Windows OLE | CVE-2019-1484 | Windows OLE Remote Code Execution Vulnerability |