A Lighter-than-normal Patch Tuesday for December, 2019

In this month’s security updates, Microsoft is fixing 36 vulnerabilities: 7 of them are considered critical, 27 important, and 1 moderate. One of them is not categorized but, based on its nature, it’s safe to assume that it is an important one.

Many of them are related to Windows internal components that could be used to gain remote code execution or perform local privilege elevation. Adobe is fixing 21 vulnerabilities in Acrobat Reader.

Here is the list of products or components that are being patched:

  • Adobe Acrobat Reader & Flash
  • Authentication Library for Android
  • Git for Visual Studio and Visual Studio Live Share
  • Internet Explorer 9 through 11
  • Microsoft Defender
  • Microsoft Edge
  • Microsoft Office: Word, Excel, PowerPoint, and Access
  • Microsoft SQL Server
  • Microsoft Visual Studio
  • Remote Desktop (RDP)
  • Skype for Business / Lync
  • Windows graphical components (GDI, Win32k)
  • Windows HyperV
  • Windows Media Player
  • Windows services and kernel for Windows 7, 8.1, and 10
  • Windows Server 2008 through 2019
  • Windows VBScript Engine

There are reports of active exploitation of an elevation of privilege vulnerability affecting Windows Win32k.

It’s worth reminding readers that the availability of patches does not mean that your computer has installed them, yet. To find and download this month’s Cumulative Update patch yourself, search for the term “2019-12” at the Microsoft Update Catalog website.

Let’s have a closer look at some of the interesting vulnerabilities.

Win32k Elevation of Privilege Vulnerability CVE-2019-1458

Win32k is the kernel driver that supports the Graphics Device Interface. It allows application through the Win32 API to create graphical objects such as windows. A malicious attacker that has already gained arbitrary code execution on a machine can leverage that vulnerability to get arbitrary code execute in the context of the Kernel and elevate its privilege to SYSTEM. This vulnerability is being exploited in the wild.

Win32k Information Disclosure Vulnerability CVE-2019-1469

It is possible to disclose value of a kernel pointer from user mode, which can be used bypass Kernel Address Space Layout Randomization (KASLR). An attacker could use that pointer in an exploit that targets another vulnerability to reference kernel memory.

VBScript Remote Code Execution Vulnerability CVE-2019-1485

The VBScript engine suffers from a Use After Free (UAF). An attacker can craft a malicious VBScript inside a web page, trick a targeted user to visit the web page and gain remote code execution on the user’s machine.

Security updates available for Acrobat Reader APSB19-55

Adobe Reader has 21 vulnerabilities that are being fixed with the update, most of them being related to Use After Free (UAF), Out-of-Bounds Read and Write and Untrusted Pointer Dereference. An attacker could send a malicious document to launch remote code on a targeted computer.

Detection notes

Sophos has released following detection signatures to address the vulnerabilities mentioned above. Please note that Sophos may release additional detections for these or other vulnerabilities in the future.

CVE SAV IPS
CVE-2019-1469 Exp/20191469-A 2301317
CVE-2019-1485 Exp/20191485-A 2301313

Contact us today for more information about SOPHOS cyber security solutions