Patch Tuesday November 2019

Windows 10 Hero Good

This month sees Microsoft patch a zero-day in IE, a security advisory for TPMs, and release the Windows 10 November 2019 Update for seekers.

Windows 10 November 2019 Update Available for Seekers

As expected, Microsoft made the Windows 10 November 2019 Update, or version 1909 as it is sometimes referred to, available to seekers via Windows Update. Seekers are users that actively click Check for updates in the Settings app. Assuming there isn’t a block in place for your device, you will be given the option to download and install the update at your convenience.

Windows 10 version 1909 is a minor update and is provided as a cumulative update (CU) for users already on Windows 10 1903. Users on other versions of Windows 10 will receive 1909 as a full operating system upgrade. Users will notice a couple of minor changes. Most notably to File Explorer, which has improved search and now includes results from OneDrive. It’s now also possible to add calendar or reminder items from the taskbar.

Under the hood there are some processor performance improvements and a couple of new enterprise features. Processors supporting Intel Turbo Boost 3.0 now get better performance in Windows 10 1909 with a feature called Favored Core Optimization. There’s also Key-Rolling and Key-Rotation, which enable secure rotation of recovery passwords on MDM-managed Azure Active Directory (AAD) devices when BitLocker drives are manually unlocked by users to provide better protection. For a complete list of all the changes and new features, see Microsoft’s website here.

Windows Client and Server Operating Systems

There is one zero-day this month affecting Internet Explorer. It is a Remote Code Execution (RCE) flaw in the way IE’s scripting engine handles objects in memory. It corrupts memory so that an attacker could run arbitrary code in the context of the logged-in user. Because IE is also used by Office applications to display web content, even if your organization is not using IE, you are still at risk. This vulnerability is already actively being used in attacks but there isn’t currently any information on exactly how the flaw is being used to compromise devices.

There are several other critical RCEs for Windows, including an issue where Hyper-V fails to properly validate input from an authenticated user on a guest operating system, allowing a hacker to potentially run arbitrary code on the Hyper-V host. Windows Media Foundation incorrectly processes specially crafted QuickTime media files, allowing attackers to run code in the context of the logged-in user. And finally, there’s a flaw where the Windows Adobe Type Manager Library incorrectly handles OpenType fonts. Except for Windows 10, the flaw could let an attacker run code remotely. In Windows 10, an attacker could run code in an AppContainer sandbox context with limited privileges and capabilities.

In addition to the RCEs above, there are a host of Elevation of Privilege (EoP), RCEs, and information disclosure flaws rated important fixed this month. It’s worth noting that Windows 10 1903 and Windows 10 1909 use the same servicing content, so the CU for both versions of the OS is the same.

Office, Exchange, SharePoint and SQL Server

There are four important updates for Office 365 ProPlus Click-to-Run, one of which is an RCE in Microsoft Excel where it fails to properly handle objects in memory, and it could let an attacker run arbitrary code in the context of the logged-in user.

Exchange gets a patch for a critical RCE flaw where deserialization of metadata via PowerShell could allow an attacker to run arbitrary code in the context of the logged-in user. SharePoint is patched for an information disclosure vulnerability where an attacker could upload a specially crafted file to a SharePoint Server and obtain SMB hashes.

TPM Security Advisory

Finally this month, Microsoft has issued a security advisory for a flaw that weakens key confidentiality protection for the ECDSA algorithm in TPM chips. While Windows doesn’t utilize ECDSA, other software might. The exact details of this flaw are not detailed but as far as I can understand, the vulnerability is present in a specific vendor’s TPM firmware and doesn’t affect all TPM devices. For more information on this issue, check out Microsoft’s website here.