Patch Tuesday: Microsoft Security Bulletin Summary for November 2019

Microsoft Patch Tuesday November 2019 publicizes November Patch Tuesday security updates today, fixing 74 common vulnerabilities and exposures (CVEs) in the family of Windows operating systems and related products. Out of these, 13 are classified as “Critical” and 61 as “Important”.

Amongst the 13 Critical vulnerabilities, there is one vulnerability in Internet Explorer which is under the radar of active exploitation and has been classified as a Zero-day.

Zero-day in the Wild:

The vulnerability was reported by Google Project Zero(Ivan Fratric), Google’s Threat Analysis Group(Clement Lecigne), iDefense Labs and Resecurity. Microsoft addressed the flaw by altering how the scripting engine handles objects in memory.

  • Remote Code Execution vulnerability in Internet Explorer| CVE-2019-1429:
    • A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The attacker could corrupt memory and execute code in the context of the current user.
    • Successful exploitation of the vulnerability could allow the attacker to gain user rights of the current user. If the user is logged on with administrative privileges, an attacker will be given complete control of the system which can be used to install programs, view, change, or delete data; or create new accounts with full user rights.
    • Also, an attacker could host a specially crafted website that is intended to abuse the vulnerability through Internet Explorer and then persuade a user to view the website in a web-based attack scenario.
    • An attacker can likewise abuse the vulnerability utilizing an application or Microsoft Office documents by embedding an ActiveX control that uses an Internet Explorer rendering engine.
    • The attacker could also take advantage of compromised sites and websites that acknowledge or have user-provided content or advertisements which could contain specially crafted content that could be used to exploit the vulnerability.

That’s not all, Microsoft has also released an update for a publicly disclosed vulnerability.

Publicly Disclosed:

The vulnerability was discovered and published by Outflank and has been confirmed with fully-patched Office 2016 and Office 2019 for Mac systems as explained by Will Dormann of the CERT/CC.

  • Microsoft Office Excel Security Feature Bypass|CVE-2019-1457:
    • A security feature bypass vulnerability exists in Microsoft Office 2016 and 2019 for Mac due to improper enforcement of macro settings on an Excel document.
    • To exploit the vulnerability, an attacker would have to implant a control in an Excel worksheet using the SYLK (SYmbolic LinK) file format that indicates a macro ought to be run and a user has to be persuaded to open a specially crafted file with an affected version of Microsoft Office software.
    • SYLK documents don’t open in Protected View. An end-user opening a specially crafted file would get no warning or prompt from Excel about opening the file and would have none of the protection mechanisms offered by the Protected View security feature.
    • Moreover, if Office for Mac has been configured to utilize the “Disable all macros without notification” feature, XLM macros in SYLK files can be executed without inciting the user.
    • Successful exploitation of the vulnerability could allow a remote attacker to execute arbitrary code, access sensitive information or manipulate data with the privileges of the user.

Other Interesting Vulnerabilities in Microsoft Patch Tuesday November 2019:

  • Microsoft Media Foundation Remote code execution|CVE-2019-1430:
    • A remote code execution vulnerability exists in Microsoft Media Foundation due to a use-after-free condition, when windows media foundation improperly parses specially crafted QuickTime media files which specifically resides in Media Foundation’s MPEG4 DLL.
    • To exploit the vulnerability, an attacker must send a specially crafted QuickTime file to a user and persuade him to open it.
    • Successful exploitation of the vulnerability will let the malicious QuickTime file to execute arbitrary code and also to gain user rights.
  • Windows Hyper-V received major updates out of which four vulnerabilities|CVE-2019-0721, CVE-2019-1389, CVE-2019-1397, CVE-2019-1398 are classified as Critical which can be potentially leveraged to perform remote code execution.
    • The vulnerabilities exist due to improper validation of input from an authenticated user on a guest operating system Hyper-V on a host server.
    • To exploit the vulnerability, an attacker would run a specially crafted application on a guest operating system and on success could allow a malicious user to escape the hypervisor or a sandbox

Along with security updates, Microsoft also released two advisories(ADV190024, ADV990001) for the vulnerability found in Trusted Platform Modules (TPM) and Servicing Stack Update for Windows 10.

The Microsoft Patch Tuesday November 2019 release consists of security updates for the following Software:

  • Microsoft Windows
  • Internet Explorer
  • Microsoft Edge (EdgeHTML-based)
  • ChakraCore
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Open Source Software
  • Microsoft Exchange Server
  • Visual Studio
  • Azure Stack

Product :Microsoft Windows
CVEs/Advisory :ADV190024, CVE-2018-12207, CVE-2019-0712, CVE-2019-0721, CVE-2019-11135, CVE-2019-1234, CVE-2019-1309, CVE-2019-1310, CVE-2019-1324, CVE-2019-1374, CVE-2019-1379, CVE-2019-1380, CVE-2019-1381, CVE-2019-1382, CVE-2019-1383, CVE-2019-1384, CVE-2019-1385, CVE-2019-1388, CVE-2019-1389, CVE-2019-1391, CVE-2019-1392, CVE-2019-1393, CVE-2019-1394, CVE-2019-1395, CVE-2019-1396, CVE-2019-1397, CVE-2019-1398, CVE-2019-1399, CVE-2019-1405, CVE-2019-1406, CVE-2019-1407, CVE-2019-1408, CVE-2019-1409, CVE-2019-1411, CVE-2019-1412, CVE-2019-1415, CVE-2019-1416, CVE-2019-1417, CVE-2019-1418, CVE-2019-1419, CVE-2019-1420, CVE-2019-1422, CVE-2019-1423, CVE-2019-1424, CVE-2019-1430, CVE-2019-1432, CVE-2019-1433, CVE-2019-1434, CVE-2019-1435, CVE-2019-1436, CVE-2019-1437, CVE-2019-1438, CVE-2019-1439, CVE-2019-1440, CVE-2019-1441, CVE-2019-1454, CVE-2019-1456
Impact :Denial of Service, Elevation of Privilege, Information Disclosure, Remote Code Execution, Security Feature Bypass, Spoofing
Severity : Critical
KBs:4517389, 4519338, 4519976, 4519985, 4519990, 4519998, 4520002, 4520003, 4520004, 4520005, 4520007, 4520008, 4520009, 4520010, 4520011, 4523205, 4524570, 4525232, 4525233, 4525234, 4525235, 4525236, 4525237, 4525239, 4525241, 4525243, 4525246, 4525250, 4525253

Product :Internet Explorer
CVEs/Advisory: CVE-2019-1390, CVE-2019-1429
Impact :Remote Code Execution
Severity :Critical
KBs:4523205, 4524570, 4525106, 4525232, 4525234, 4525235, 4525236, 4525237, 4525241, 4525243, 4525246

Product :Microsoft Edge (EdgeHTML-based)
CVEs/Advisory: CVE-2019-1413, CVE-2019-1426, CVE-2019-1427, CVE-2019-1428
Impact :Remote Code Execution, Security Feature Bypass
Severity :Critical
KBs:4523205, 4524570, 4525232, 4525236, 4525237, 4525241

Product :ChakraCore
CVEs/Advisory: CVE-2019-1426, CVE-2019-1427, CVE-2019-1428
Impact :Remote Code Execution
Severity :Critical

Product :Microsoft Office and Microsoft Office Services and Web Apps
CVEs/Advisory: CVE-2019-1402, CVE-2019-1442, CVE-2019-1443, CVE-2019-1445, CVE-2019-1446, CVE-2019-1447, CVE-2019-1448, CVE-2019-1449, CVE-2019-1457
Impact :Information Disclosure, Remote Code Execution, Security Feature Bypass, Spoofing
Severity :Important
KBs:4484113, 4484119, 4484127, 4484141, 4484142, 4484143, 4484144, 4484148, 4484149, 4484151, 4484152, 4484157, 4484158, 4484159, 4484160, 4484164, 4484165

Product: Open Source Software
CVEs/Advisory: CVE-2019-1370
Impact: Information Disclosure
Severity: Important

Product: Microsoft Exchange Server
CVEs/Advisory: CVE-2019-1373
Impact: Remote Code Execution
Severity: Critical
KBs: 4523171

Product: Visual Studio
CVEs/Advisory: CVE-2019-1425
Impact: Elevation of Privilege
Severity: Important

Product: Azure Stack
CVEs/Advisory: CVE-2019-1234
Impact: Spoofing
Severity: Important

SecPod Saner detects these vulnerabilities and automatically fixes it by applying security updates. Download Saner now and keep your systems updated and secure.