Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET

Patch Tuesday – December 2019

This month’s end-of-year Patch Tuesday is relatively light, with Microsoft fixing a Windows zero-day and a spoofing vulnerability in SQL Server Reporting Services.

Windows and Windows Server

In total there are 15 vulnerabilities patched for Windows this month, including a zero-day (CVE-2019-1458) in older versions of Windows 10 (Windows 10 1507 and Windows 10 1607), Windows 7 Service Pack 1, Windows 8.1, and all versions of Windows Server from 2008 Service Pack 2 to Windows Server 2016. Rated as an important escalation of privilege (EoP) bug, the Win32k component fails to properly handle objects in memory.

If exploited, a hacker could run arbitrary code in kernel mode, allowing them to install programs, change data, and create accounts with full user privileges. Microsoft said a hacker would first need to log in to a system to exploit this flaw. It’s not clear what changes were made in newer versions of Windows 10 that mean they are not affected by this vulnerability.

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

There are two critical remote code execution bugs this month, the first of which affects all supported versions of Windows. CVE-2019-1468 is a vulnerability in the Windows font library that improperly handles specially crafted embedded fonts and it could allow an attacker to install programs, change data, and create new accounts with full administrator rights. Microsoft says that standard user accounts, i.e. those without administrator rights, might be less impacted by this flaw. An attacker could exploit the bug using a specially crafted website or using an infected file.

Second is a Hyper-V bug (CVE-2019-1471) that could let an attacker run an app in a guest VM to force the host OS to run arbitrary code. This bug affects Windows 10 1803 through 1909 64-bit and the equivalent Server versions. Additionally, Internet Explorer 11 gets a fix for a remote code execution flaw in the way that the VBScript engine handles objects in memory. An attacker could gain the same rights as the logged in user.

A Windows XP Curiosity

Microsoft issued a security vulnerability notice (CVE-2019-1489) for the long unsupported Windows XP SP3. There is an information disclosure flaw in the Remote Desktop Protocol (RDP) where it fails to properly handle objects in memory. An attacker could use it to obtain information that would allow them to further compromise the system. There is no patch available.

Microsoft Office

5 vulnerabilities are fixed this month in Office 365 ProPlus, all rated important. There is one remote code execution bug in PowerPoint where it fails to properly handle objects in memory. Successful exploitation would allow a hacker to run code in the context of the logged in user; meaning that a hacker could take control of an affected system if the logged in user has administrator privileges. To exploit the flaw, a user would need to open a specially crafted file.

Microsoft SQL Server

Microsoft SQL Server 2017 and 2019 Reporting Services, and Power BI Report Server, all get a patch for an important spoofing vulnerability where cross-site scripting (XSS) fails to properly sanitize requests to affected SSRS servers. An attacker could run scripts in the context of the targeted user and allow them to read data that the attacker is not authorized to see, run code, and use the account identity to take actions on behalf of the user, like changing permissions and deleting content.

Adobe Software

There’s no security fix for Flash Player this month although Adobe did release a non-security update. However, Acrobat and Acrobat Reader both get an update that fixes 20 plus flaws in the software.

That’s it until 2020!

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: