Microsoft publicizes November Patch Tuesday security updates today, fixing 74 common vulnerabilities and exposures (CVEs) in the family of Windows operating systems and related products. Out of these, 13 are classified as “Critical” and 61 as “Important”.
Amongst the 13 Critical vulnerabilities, there is one vulnerability in Internet Explorer which is under the radar of active exploitation and has been classified as a Zero-day.
Zero-day in the Wild:
The vulnerability was reported by Google Project Zero(Ivan Fratric), Google’s Threat Analysis Group(Clement Lecigne), iDefense Labs and Resecurity. Microsoft addressed the flaw by altering how the scripting engine handles objects in memory.
That’s not all, Microsoft has also released an update for a publicly disclosed vulnerability.
The vulnerability was discovered and published by Outflank and has been confirmed with fully-patched Office 2016 and Office 2019 for Mac systems as explained by Will Dormann of the CERT/CC.
- Microsoft Office Excel Security Feature Bypass|CVE-2019-1457:
- A security feature bypass vulnerability exists in Microsoft Office 2016 and 2019 for Mac due to improper enforcement of macro settings on an Excel document.
- To exploit the vulnerability, an attacker would have to implant a control in an Excel worksheet using the SYLK (SYmbolic LinK) file format that indicates a macro ought to be run and a user has to be persuaded to open a specially crafted file with an affected version of Microsoft Office software.
- SYLK documents don’t open in Protected View. An end-user opening a specially crafted file would get no warning or prompt from Excel about opening the file and would have none of the protection mechanisms offered by the Protected View security feature.
- Moreover, if Office for Mac has been configured to utilize the “Disable all macros without notification” feature, XLM macros in SYLK files can be executed without inciting the user.
- Successful exploitation of the vulnerability could allow a remote attacker to execute arbitrary code, access sensitive information or manipulate data with the privileges of the user.
Other Interesting Vulnerabilities:
- Microsoft Media Foundation Remote code execution|CVE-2019-1430:
- A remote code execution vulnerability exists in Microsoft Media Foundation due to a use-after-free condition, when windows media foundation improperly parses specially crafted QuickTime media files which specifically resides in Media Foundation’s MPEG4 DLL.
- To exploit the vulnerability, an attacker must send a specially crafted QuickTime file to a user and persuade him to open it.
- Successful exploitation of the vulnerability will let the malicious QuickTime file to execute arbitrary code and also to gain user rights.
- Windows Hyper-V received major updates out of which four vulnerabilities|CVE-2019-0721, CVE-2019-1389, CVE-2019-1397, CVE-2019-1398 are classified as Critical which can be potentially leveraged to perform remote code execution.
- The vulnerabilities exist due to improper validation of input from an authenticated user on a guest operating system Hyper-V on a host server.
- To exploit the vulnerability, an attacker would run a specially crafted application on a guest operating system and on success could allow a malicious user to escape the hypervisor or a sandbox
The November 2019 Patch Tuesday release consists of security updates for the following Software:
- Microsoft Windows
- Internet Explorer
- Microsoft Edge (EdgeHTML-based)
- Microsoft Office and Microsoft Office Services and Web Apps
- Open Source Software
- Microsoft Exchange Server
- Visual Studio
- Azure Stack
Product :Microsoft Windows
CVEs/Advisory :ADV190024, CVE-2018-12207, CVE-2019-0712, CVE-2019-0721, CVE-2019-11135, CVE-2019-1234, CVE-2019-1309, CVE-2019-1310, CVE-2019-1324, CVE-2019-1374, CVE-2019-1379, CVE-2019-1380, CVE-2019-1381, CVE-2019-1382, CVE-2019-1383, CVE-2019-1384, CVE-2019-1385, CVE-2019-1388, CVE-2019-1389, CVE-2019-1391, CVE-2019-1392, CVE-2019-1393, CVE-2019-1394, CVE-2019-1395, CVE-2019-1396, CVE-2019-1397, CVE-2019-1398, CVE-2019-1399, CVE-2019-1405, CVE-2019-1406, CVE-2019-1407, CVE-2019-1408, CVE-2019-1409, CVE-2019-1411, CVE-2019-1412, CVE-2019-1415, CVE-2019-1416, CVE-2019-1417, CVE-2019-1418, CVE-2019-1419, CVE-2019-1420, CVE-2019-1422, CVE-2019-1423, CVE-2019-1424, CVE-2019-1430, CVE-2019-1432, CVE-2019-1433, CVE-2019-1434, CVE-2019-1435, CVE-2019-1436, CVE-2019-1437, CVE-2019-1438, CVE-2019-1439, CVE-2019-1440, CVE-2019-1441, CVE-2019-1454, CVE-2019-1456
Impact :Denial of Service, Elevation of Privilege, Information Disclosure, Remote Code Execution, Security Feature Bypass, Spoofing
Severity : Critical
KBs:4517389, 4519338, 4519976, 4519985, 4519990, 4519998, 4520002, 4520003, 4520004, 4520005, 4520007, 4520008, 4520009, 4520010, 4520011, 4523205, 4524570, 4525232, 4525233, 4525234, 4525235, 4525236, 4525237, 4525239, 4525241, 4525243, 4525246, 4525250, 4525253
Product :Internet Explorer
CVEs/Advisory: CVE-2019-1390, CVE-2019-1429
Impact :Remote Code Execution
KBs:4523205, 4524570, 4525106, 4525232, 4525234, 4525235, 4525236, 4525237, 4525241, 4525243, 4525246
Product :Microsoft Edge (EdgeHTML-based)
CVEs/Advisory: CVE-2019-1413, CVE-2019-1426, CVE-2019-1427, CVE-2019-1428
Impact :Remote Code Execution, Security Feature Bypass
KBs:4523205, 4524570, 4525232, 4525236, 4525237, 4525241
Product :Microsoft Office and Microsoft Office Services and Web Apps
CVEs/Advisory: CVE-2019-1402, CVE-2019-1442, CVE-2019-1443, CVE-2019-1445, CVE-2019-1446, CVE-2019-1447, CVE-2019-1448, CVE-2019-1449, CVE-2019-1457
Impact :Information Disclosure, Remote Code Execution, Security Feature Bypass, Spoofing
KBs:4484113, 4484119, 4484127, 4484141, 4484142, 4484143, 4484144, 4484148, 4484149, 4484151, 4484152, 4484157, 4484158, 4484159, 4484160, 4484164, 4484165
Product: Open Source Software
Impact: Information Disclosure
Product: Visual Studio
Impact: Elevation of Privilege
Product: Azure Stack