This month’s end-of-year Patch Tuesday is relatively light, with Microsoft fixing a Windows zero-day and a spoofing vulnerability in SQL Server Reporting Services.
Windows and Windows Server
In total there are 15 vulnerabilities patched for Windows this month, including a zero-day (CVE-2019-1458) in older versions of Windows 10 (Windows 10 1507 and Windows 10 1607), Windows 7 Service Pack 1, Windows 8.1, and all versions of Windows Server from 2008 Service Pack 2 to Windows Server 2016. Rated as an important escalation of privilege (EoP) bug, the Win32k component fails to properly handle objects in memory.
If exploited, a hacker could run arbitrary code in kernel mode, allowing them to install programs, change data, and create accounts with full user privileges. Microsoft said a hacker would first need to log in to a system to exploit this flaw. It’s not clear what changes were made in newer versions of Windows 10 that mean they are not affected by this vulnerability.
There are two critical remote code execution bugs this month, the first of which affects all supported versions of Windows. CVE-2019-1468 is a vulnerability in the Windows font library that improperly handles specially crafted embedded fonts and it could allow an attacker to install programs, change data, and create new accounts with full administrator rights. Microsoft says that standard user accounts, i.e. those without administrator rights, might be less impacted by this flaw. An attacker could exploit the bug using a specially crafted website or using an infected file.
Second is a Hyper-V bug (CVE-2019-1471) that could let an attacker run an app in a guest VM to force the host OS to run arbitrary code. This bug affects Windows 10 1803 through 1909 64-bit and the equivalent Server versions. Additionally, Internet Explorer 11 gets a fix for a remote code execution flaw in the way that the VBScript engine handles objects in memory. An attacker could gain the same rights as the logged in user.
A Windows XP Curiosity
Microsoft issued a security vulnerability notice (CVE-2019-1489) for the long unsupported Windows XP SP3. There is an information disclosure flaw in the Remote Desktop Protocol (RDP) where it fails to properly handle objects in memory. An attacker could use it to obtain information that would allow them to further compromise the system. There is no patch available.
5 vulnerabilities are fixed this month in Office 365 ProPlus, all rated important. There is one remote code execution bug in PowerPoint where it fails to properly handle objects in memory. Successful exploitation would allow a hacker to run code in the context of the logged in user; meaning that a hacker could take control of an affected system if the logged in user has administrator privileges. To exploit the flaw, a user would need to open a specially crafted file.
Microsoft SQL Server
Microsoft SQL Server 2017 and 2019 Reporting Services, and Power BI Report Server, all get a patch for an important spoofing vulnerability where cross-site scripting (XSS) fails to properly sanitize requests to affected SSRS servers. An attacker could run scripts in the context of the targeted user and allow them to read data that the attacker is not authorized to see, run code, and use the account identity to take actions on behalf of the user, like changing permissions and deleting content.
There’s no security fix for Flash Player this month although Adobe did release a non-security update. However, Acrobat and Acrobat Reader both get an update that fixes 20 plus flaws in the software.
That’s it until 2020!