The November 2019 Security Update Review

November 12, 2019 | Dustin Childs

November is here and so are the latest security patches from Microsoft and Adobe. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.

Adobe Patches for November 2019

For November, Adobe released four patches addressing 11 CVEs in Adobe Animate CC, Illustrator CC, Bridge CC, and Media Encoder. Four of these CVEs came through the ZDI program. The Media Encoder patch includes a Critical-rated fix for an Out-of-bounds (OOB) bug that could allow code execution. The patch for Illustrator also includes two Critical-rated fixes for memory corruption vulnerabilities that could lead to code execution.

The updates for Bridge and Animate CC are both rated Important in severity. The Bridge update fixes two information disclosure bugs while the patch for Animate fixes a DLL hijacking bug that could lead to a local privilege escalation (LPE). None of these bugs are listed as publicly known or under active attack at the time of release.

Microsoft Patches for November 2019

This month, Microsoft released security patches for 74 CVEs and one new advisory covering Microsoft Windows, Internet Explorer (IE), Microsoft Edge (EdgeHTML-based), ChakraCore, Office and Office Services and Web Apps, Open Source Software, Exchange Server, and Visual Studio. A total of 15 of these CVEs were reported through the ZDI program. Of these 74 CVEs, 13 are rated Critical and 61 are rated Important in severity. The new advisory being disclosed today is listed as publicly known and one CVE is listed under active attack.

Let’s take a closer look at some of the more interesting patches for this month, starting with the bug currently being exploited:

-       CVE-2019-1429 – Scripting Engine Memory Corruption Vulnerability
Reported through the Google Threat Analysis Group, this patch for IE corrects a vulnerability in the way that the scripting engine handles objects in memory. This vague description for memory corruption means that an attacker can execute their code if an affected browser visits a malicious web page or opens a specially crafted Office document. That second vector means you need this patch even if you don’t use IE. Microsoft gives no information on the nature of the active attacks, but they are likely limited at this time. However, now that the patch is available for analysis, the attacks could definitely grow.

 -       ADV190024 – Microsoft Guidance for Vulnerability in Trusted Platform Module (TPM)
This advisory covers TPM chipsets that use the Elliptic Curve Digital Signature Algorithm (ECDSA). This NIST standard has been around for a while, but interestingly, no current Windows system uses this algorithm, but other software or services might. The bug exists in the TPM firmware and not the OS itself. There’s no Microsoft patch here. Instead, if your system is affected, you’ll need a TPM firmware update from your chip manufacturer, and you’ll also likely need to re-enroll in security services to fully remediate this vulnerability. I’m not sure how widely deployed these chips are, but the servicing will not be a simple task.

-       CVE-2019-1373 – Microsoft Exchange Remote Code Execution Vulnerability
Bugs in Exchange Server are always interesting on some level, and this one certainly doesn’t disappoint. The patch corrects a vulnerability in the deserialization of metadata via PowerShell. To exploit this, an attacker would need to convince a user to run cmdlets via PowerShell. While this may be an unlikely scenario, it only takes one user to compromise the server. If that user has administrative privileges, they could hand over complete control to the attacker.

-       CVE-2019-1388 – Windows Certificate Dialog Elevation of Privilege Vulnerability
This bug was reported through the ZDI program, and we all marveled at it when it was submitted. An attacker can elevate to a shell with NT Authority\SYSTEM privileges by abusing the User Access Control (UAC) feature. Microsoft has stated UAC is not a security boundary, but this vulnerability turns it into a security liability. There are several steps involved in the actual exploitation, but it stems from clicking “Show information about this publisher's certificate” at a UAC prompt. We’ll publish additional details along with a video demonstration of this bug in the near future.

Here’s the full list of CVEs released by Microsoft for November 2019.

CVE Title Severity Public Exploited XI - Latest XI - Older Type
CVE-2019-1429 Scripting Engine Memory Corruption Vulnerability Critical No Yes 0 0 RCE
CVE-2019-0721 Hyper-V Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-1373 Microsoft Exchange Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-1389 Windows Hyper-V Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-1390 VBScript Remote Code Execution Vulnerability Critical No No 1 1 RCE
CVE-2019-1397 Windows Hyper-V Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-1398 Windows Hyper-V Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-1419 OpenType Font Parsing Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-1426 Scripting Engine Memory Corruption Vulnerability Critical No No 2 2 RCE
CVE-2019-1427 Scripting Engine Memory Corruption Vulnerability Critical No No 2 2 RCE
CVE-2019-1428 Scripting Engine Memory Corruption Vulnerability Critical No No 2 2 RCE
CVE-2019-1430 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-1441 Win32k Graphics Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2018-12207 Windows Kernel Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-0712 Windows Hyper-V Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-11135 Windows Kernel Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1234 Azure Stack Spoofing Vulnerability Important No No N/A N/A Spoof
CVE-2019-1309 Windows Hyper-V Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-1310 Windows Hyper-V Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-1324 Windows TCP/IP Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1370 Open Enclave SDK Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1374 Windows Error Reporting Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1379 Windows Data Sharing Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1380 Microsoft splwow64 Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1381 Microsoft Windows Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1382 Microsoft ActiveX Installer Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1383 Windows Data Sharing Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1384 Microsoft Windows Security Feature Bypass Vulnerability Important No No 2 2 SFB
CVE-2019-1385 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1388 Windows Certificate Dialog Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1391 Windows Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-1392 Windows Kernel Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-1393 Win32k Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-1394 Win32k Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-1395 Win32k Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-1396 Win32k Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-1399 Windows Hyper-V Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-1402 Microsoft Office Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1405 Windows UPnP Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1406 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-1407 Windows Graphics Component Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1408 Win32k Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-1409 Windows Remote Procedure Call Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1411 DirectWrite Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1412 OpenType Font Driver Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1413 Microsoft Edge Security Feature Bypass Vulnerability Important No No 2 2 SFB
CVE-2019-1415 Windows Installer Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1416 Windows Subsystem for Linux Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1417 Windows Data Sharing Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1418 Windows Modules Installer Service Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1420 Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1422 Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1423 Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1424 NetLogon Security Feature Bypass Vulnerability Important No No 2 2 SFB
CVE-2019-1425 Visual Studio Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1432 DirectWrite Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1433 Windows Graphics Component Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1434 Win32k Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1435 Windows Graphics Component Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-1436 Win32k Information Disclosure Vulnerability Important No No 1 1 Info
CVE-2019-1437 Windows Graphics Component Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-1438 Windows Graphics Component Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-1439 Windows GDI Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1440 Win32k Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1442 Microsoft Office Security Feature Bypass Vulnerability Important No No 2 2 SFB
CVE-2019-1443 Microsoft SharePoint Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1445 Microsoft Office Online Spoofing Vulnerability Important No No 2 2 Spoof
CVE-2019-1446 Microsoft Excel Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-1447 Microsoft Office Online Spoofing Vulnerability Important No No 2 2 Spoof
CVE-2019-1448 Microsoft Excel Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-1449 Microsoft Office ClickToRun Security Feature Bypass Vulnerability Important No No 2 2 SFB
CVE-2019-1454 Windows User Profile Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-1456 OpenType Font Parsing Remote Code Execution Vulnerability Important No No N/A N/A RCE
CVE-2019-1457 Microsoft Office Excel Security Feature Bypass Important No No N/A N/A SFB

Looking through the Critical-rated patches, the updates for Hyper-V stand out the most. Five separate code execution bugs receive patches this month, and each could allow a user on the guest OS to execute code on the underlying host OS. Any one of those bugs could have won $250,000 for someone at this year’s Pwn2Own Vancouver event. Let’s hope they save a few for next year. Another Critical patch corrects how Windows handles QuickTime media files. However, considering Apple ended support for QuickTime on Windows back in 2016, you should consider any QuickTime media file to be suspect.

The rest of the Critical-rated patches mainly involve an aspect of web browsing – either in the browser itself or one of the components used during browsing. Interestingly, CVE-2019-1441 is listed as Critical since viewing a specially crafted font could allow code execution. However, CVE-2019-1456 has a nearly identical description but is listed as Important. This is likely due to where the font is actually rendered on the target system. Fonts may be rendered in the kernel, which obviously could lead to more severe issues that rendering in a different subsystem.

Speaking of rendering, various graphics components receive quite a few updates this month. In total, 20 different patches touch some aspect of the graphics components in Windows. Most of these resolve Elevation of Privilege (EoP) vulnerabilities, but several info disclosure bugs get fixes, too. There are 17 patches for info disclosure bugs, which is actually more than the number of RCE patches this month.

Similar to last month, the Open Enclave SDK receives a patch to address an info disclosure bug. The Windows Subsystem for Linux receives a patch for an EoP vulnerability. Ten years ago, if you predicted Microsoft would release an open-source and a Linux-related patch in the same month, you would likely have been laughed at – but here we are.

You may notice a CVE from 2018 in this month’s release as well. This actually comes from Intel and is being shipped here by Microsoft the vulnerability in guest virtual machines. You’ll need to manually enable protections on the host. KB4530989 provides full details on the steps needed to ensure your Hyper-V host is protected from this bug.

This month’s release is rounded out by a handful of patches for Office and several patches for various Windows components. The most notable of these include an info disclosure bug in the TCP/IP stack due to improperly handled IPv6 flowlabels in packets. An attacker could get device information like resource ids, SAS tokens, user properties, and other sensitive information from an affected device. There’s also a security feature bypass in NetLogon that would allow a MITM to degrade certain aspects of the connection. It can’t be used on its own to take over a connection, but it could be used to further modify the transmission.

Finally, in addition to the previously mentioned TPM advisory, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows. No additional advisories were released this month.

Looking Ahead

The final patch Tuesday of 2019 falls on December 10, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!