The December 2019 Security Update Review
December 10, 2019 | Dustin ChildsWe’ve made it to the end of the year and the final scheduled security updates from Microsoft and Adobe for 2019. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.
Adobe Patches for December 2019
Adobe closes out 2019 with four patches fixing 25 CVEs in Acrobat Reader, Bracket, Cold Fusion and Photoshop. The update for Acrobat Reader corrects 21 CVEs. Most are rated Critical with a few rated Important in severity. The types of bugs addressed primarily include Out-of-Bounds Reads and Writes, some untrusted pointer dereferences, and a few Use-After-Free (UAF). None are listed as publicly known or under active attack at the time of release.
The update for Brackets also addresses a single, Critical-rated bug that could allow remote code execution via command injection. The patch for Photoshop fixes two Critical-rated memory corruption bugs that could lead to arbitrary code execution. The Cold Fusion patch fixes an Important-rated insecure permissions bug.
Microsoft Patches for December 2019
This December, Microsoft released security patches for a mere 36 CVEs covering Microsoft Windows, Internet Explorer (IE), Hyper-V Server, Microsoft Defender, GitHub Library, Office and Office Services and Web Apps, and SQL Server. Seven of these CVEs were reported through the ZDI program. Of these 36 CVEs, seven are rated Critical, 28 are rated Important, and one is rated Moderate in severity. While this is a much lower quantity of CVEs compared to other months, it is quite common for Microsoft to have a light December release. None of the patches released this month are listed as publicly known, but one is listed as being actively exploited at the time of release.
Let’s take a closer look at some of the more interesting updates for this month, starting with the bug currently being exploited:
- CVE-2019-1458 – Win32k Elevation of Privilege Vulnerability
This is the one bug listed as being under active attack this month and was reported by Kaspersky Labs. That group also reported a UAF in Chrome that was under active exploit. When that bug became public, there was speculation it was being paired with a Windows kernel bug to escape the sandbox. While it’s not confirmed this patch is connected to those Chrome attacks, this is the type of bug one would use to perform a sandbox escape.
- CVE-2019-1471 – Windows Hyper-V Remote Code Execution Vulnerability
This Critical-rated patch fixes a bug in Hyper-V that would allow a user on a guest OS to execute arbitrary code on the underlying host OS. Bugs like this have been demonstrated at Pwn2Own in the past, and they’re always fun to watch. Considering how much modern computing depends on virtualization, it’s likely we’ll continue to see research that focuses on exploiting the hypervisor from a guest OS.
- CVE-2019-1468 – Win32k Graphics Remote Code Execution Vulnerability
It’s hard to see a font parsing bug and not be reminded of the Duqu malware. Even eight years later, people are still finding Critical-rated problems in embedded fonts. This example, reported through the ZDI program, could allow an attacker to execute code on an affected system if they view a specially crafted font. If you’re logged on as an Administrator, the attacker could take over the system. Just another reminder that you should not use an account with administrative privileges for day-to-day activities.
Here’s the full list of CVEs released by Microsoft for December 2019.
| CVE | Title | Severity | Public | Exploited | XI - Latest | XI - Older | Type |
| CVE-2019-1458 | Win32k Elevation of Privilege Vulnerability | Important | No | Yes | N/A | 0 | EoP |
| CVE-2019-1349 | Git for Visual Studio Remote Code Execution Vulnerability | Critical | No | No | 2 | N/A | RCE |
| CVE-2019-1350 | Git for Visual Studio Remote Code Execution Vulnerability | Critical | No | No | 2 | N/A | RCE |
| CVE-2019-1352 | Git for Visual Studio Remote Code Execution Vulnerability | Critical | No | No | 2 | N/A | RCE |
| CVE-2019-1354 | Git for Visual Studio Remote Code Execution Vulnerability | Critical | No | No | 2 | N/A | RCE |
| CVE-2019-1387 | Git for Visual Studio Remote Code Execution Vulnerability | Critical | No | No | 2 | N/A | RCE |
| CVE-2019-1468 | Win32k Graphics Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2019-1471 | Windows Hyper-V Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
| CVE-2019-1332 | Microsoft SQL Server Reporting Services XSS Vulnerability | Important | No | No | 2 | 2 | XSS |
| CVE-2019-1400 | Microsoft Access Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2019-1453 | Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
| CVE-2019-1461 | Microsoft Word Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
| CVE-2019-1462 | Microsoft PowerPoint Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2019-1463 | Microsoft Access Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2019-1464 | Microsoft Excel Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2019-1465 | Windows GDI Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2019-1466 | Windows GDI Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2019-1467 | Windows GDI Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2019-1469 | Win32k Information Disclosure Vulnerability | Important | No | No | 1 | 1 | Info |
| CVE-2019-1470 | Windows Hyper-V Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2019-1472 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2019-1474 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2019-1476 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2019-1477 | Windows Printer Service Elevation of Privilege Vulnerability | Important | No | No | N/A | 2 | EoP |
| CVE-2019-1478 | Windows COM Server Elevation of Privilege Vulnerability | Important | No | No | N/A | 2 | EoP |
| CVE-2019-1480 | Windows Media Player Information Disclosure Vulnerability | Important | No | No | N/A | 2 | Info |
| CVE-2019-1481 | Windows Media Player Information Disclosure Vulnerability | Important | No | No | N/A | 2 | Info |
| CVE-2019-1483 | Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
| CVE-2019-1484 | Windows OLE Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
| CVE-2019-1485 | VBScript Remote Code Execution Vulnerability | Important | No | No | 1 | 1 | RCE |
| CVE-2019-1486 | Visual Studio Live Share Spoofing Vulnerability | Important | No | No | 2 | N/A | Spoof |
| CVE-2019-1487 | Microsoft Authentication Library for Android Information Disclosure Vulnerability | Important | No | No | 2 | N/A | Info |
| CVE-2019-1488 | Microsoft Defender Security Feature Bypass Vulnerability | Important | No | No | 1 | 1 | SFB |
| CVE-2019-1489 | Remote Desktop Protocol Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
| CVE-2019-1490 | Skype for Business and Lync Spoofing Vulnerability | Important | No | No | 2 | 2 | Spoof |
| CVE-2019-1351 | Git for Visual Studio Tampering Vulnerability | Moderate | No | No | 2 | N/A | Tampering |
Looking through the other Critical-rated patches, we see several code execution bugs in Git for Visual Studio. The descriptions for the five bugs are identical. Each states an attacker could take over a system if they can convince a user to clone a malicious repo. Each also states the patch addresses the vulnerability by correcting the manner in which Git validates command-line input. There’s also a tampering bug in Git for Visual Studio being fixed this month, although this patch is Moderate severity rather than Critical.
Moving on to the Important-rated updates, the first one to stand out is the update for VBScript. This manifests as a browser bug, since an affected IE version would allow remote code execution if it opened a specially crafted website. In other words, this is a browse-and-own bug. Since all versions of IE are affected, you should consider this Critical if you have IE in your enterprise.
There are several information disclosure bugs getting fixed this month – more than any other category. Of these 14 patches, several were reported by ZDI’s own Hossein Lotfi. While these vulnerabilities don’t directly lead to code execution, they can be used to make code execution more reliable since the info being disclosed is typically uninitialized memory.
In addition to the EoP under active attack, there are four other EoP patches for December. The most interesting of these is the one involving the Windows Printer Service. A local attacker could run a program designed to cause the service to improperly validate file paths while loading printer drivers, thus elevating for a regular user to a privileged one. The EoP in the kernel and COM server behave in a similar fashion.
There’s one security feature bypass fix for this month, and it impacts Microsoft Defender. Rather than allow an attacker extra access, the bug allows them trigger warnings and false-positive alerts. If you’ve ever been on the receiving end of an alert flood, you know it can be overwhelming. An attacker could use this as a type of smoke screen and hide legitimate alerts amongst the fake ones. Neat.
Wrapping up this release, both Skype for Business and Visual Studio Live Share receive patches to address spoofing bugs. There’s also a bug to fix a cross-site scripting (XSS) bug in SQL Server. Word and RDP get DoS bugs corrected.
Finally, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows. No additional advisories were released this month.
Looking Ahead
The first patch Tuesday of 2020 falls on January 14, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!