icetray - Fotolia

December Patch Tuesday resolves Windows zero-day

Microsoft delivers the final batch of security fixes for the year with a Windows zero-day vulnerability getting top billing for administrators.

Administrators got an early holiday present with a fairly light patching workload on December Patch Tuesday, but they will have one Windows zero-day to wrap up as soon as possible.

Microsoft corrected 36 vulnerabilities on December Patch Tuesday in Microsoft Windows, Internet Explorer, Microsoft Office and Microsoft Office Services and Web Apps, SQL Server, Visual Studio and Skype for Business.

The Win32k elevation of privilege vulnerability (CVE-2019-1458) is rated as important and is being actively exploited in the wild. This Windows zero-day, discovered by Kaspersky Lab researchers, affects most supported versions of Microsoft's operating system on both the client and server side. The attacker needs authentication to access the system to run malicious code in kernel mode to take control of a system. The attacker could then perform a range of tasks, including create new accounts with full user rights and install programs.

Administrators who base their patching priority on a combination of vendor severity and the Common Vulnerability Scoring System (CVSS) score might miss these types of vulnerabilities if they don't account for additional factors. CVE-2019-1458 has a CVSS score of 7.8.

Chris Goettl, director of product management and security, IvantiChris Goettl

"If you're not patching vulnerabilities rated important and above with a CVSS score lower than 8.0, then you could miss things being actively exploited," said Chris Goettl, director of product management and security at Ivanti, a security and IT management vendor based in South Jordan, Utah.

If you're not patching vulnerabilities rated important and above with a CVSS score lower than 8.0, then you could miss things being actively exploited.
Chris GoettlDirector of product management and security, Ivanti

Multiple zero-day bugs this year met the same criteria as this most recent Windows zero-day, so companies need to make sure they examine additional metadata with the vulnerabilities as they formulate their patching prioritization, Goettl said.

Microsoft closes multiple Git-Visual Studio flaws

Microsoft resolved several security issues related to Git functionality and Microsoft Visual Studio. The company corrected six bugs (CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1354 and CVE-2019-1387) with most of them remote-code execution flaws rated critical. Companies that use Visual Studio for software development and connect to Git repositories will want to apply the December Patch Tuesday updates in short order.

Goettl said an enterprising attacker could do some investigative work to gather email addresses for developers in an organization, then construct a spear-phishing campaign to direct developers to a malicious repository that appears legitimate. Then the attacker could gain administrative rights to modify code in the organization's development environment. While this scenario is theoretical, Goettl said, it's not that far-fetched.

"Vendors are becoming a significant target as a way to attack many companies," he said

Goettl cited a recent incident in which about 400 dentist offices were hit with ransomware through a vendor that handled data backups for the offices. Threat actors have learned that hitting multiple targets at once is a more effective and lucrative option than the piecemeal approach used in the early days of ransomware, he said.

"If I'm an attacker and I find a vertical that I want to go after, such as a vendor for a bunch of health care providers, and I get as much intel as I can about them, their developers and their development platform and any information about their repositories, then I could put together a valid spear-phishing attack," Goettl said. "And if I can get into their code base, then I can construct an attack that hits all of their customers and makes for a more painful and more profitable ransomware scenario."

Microsoft issues more servicing stack updates

Microsoft issued an advisory (ADV990001) related to servicing stack updates for Windows 7, Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012. The first three operating systems will leave mainstream support after the next Patch Tuesday, on Jan. 14, 2020, and move into the extended support phase. Companies that have not migrated off these legacy systems will need to sign up for extended security updates (ESU) to receive support when the end-of-life (EOL) date passes.

"My guess is that these servicing stack updates for these older platforms are preparing for that switchover so the systems can check and get continued updates if you've got that [ESU] key," Goettl said.

A recent survey from Ivanti indicates many organizations have lagged in their Windows 7 migration efforts for several reasons, such as lack of time and lack of application support. In the survey of more than 500 IT professionals published in October, 39% of the respondents indicated they would not have completed migrations off of Windows 7 before the EOL date.

Microsoft makes unusual move with bug for unsupported OS 

In an unusual twist, Microsoft released information for a Remote Desktop Protocol information disclosure vulnerability (CVE-2019-1489) rated important for Windows XP -- an unsupported Windows operating system -- but did not provide a patch.

"This one was kind of odd," said Goettl, who noted Microsoft gave the CVE an exploitability assessment of 0, which typically means it is an actively exploited vulnerability, but Microsoft modified the designation to read "0 - unknown."

"Microsoft took the time to create a CVE advisory for Windows XP. We can assume there was a reason to trigger that activity, " Goettl said. "There is no update available, so people really need to get off XP unless they have an absolute necessity to keep it around."

An attacker could exploit this flaw by connecting remotely to an XP system and running a specially crafted program. The Windows XP operating system went out of mainstream support in April 2009 and left extended support in April 2014.

Other security updates of note for December Patch Tuesday include:

  • A fix for a spoofing flaw (CVE-2019-1490) rated important for Skype for Business Server 2019, cumulative update 2. In the attack scenario, a user would have to click on a malicious link to a server that has been exploited. The threat actor could then launch cross-site scripting attacks on affected systems and run code in the security context of the exploited user. Microsoft's update closes the loophole by properly sanitizing web requests.
  • A patch for a Win32k graphics remote code execution vulnerability (CVE-2019-1468) rated critical for supported Windows client and server operating systems related to improper handling of specially crafted embedded fonts. An attacker who exploits this bug -- by getting a user to click on a link to a malicious site or open a specially crafted document -- can take control of a system and run tasks based on the privilege level of the affected user. The update corrects how the Windows font library handles embedded fonts.
  • A fix for a Hyper-V remote code execution vulnerability (CVE-2019-1471) rated critical on Windows 10 and Windows Server 2019 that could allow an attacker to run a malicious application on a guest operating system to force the Hyper-V host to run arbitrary code. The update corrects the user input validation process.
  • A correction for a cross-site scripting vulnerability (CVE-2019-1332) rated important in the Microsoft SQL Server Reporting Services (SSRS) feature. To trigger the exploit, an authenticated user would need to click on a malicious link to an affected SSRS server. The attacker could then perform a range of tasks from deleting content to running malicious code. The patch corrects SSRS URL sanitization.
  • A patch for an information disclosure vulnerability (CVE-2019-1400) rated important in Microsoft Access related to a failure to handle objects in memory properly. The attacker would need to be authenticated on the system to run a malicious application to gather information on the user's system.

Adobe and Google also release patches

Google updated its Chrome web browser on Tuesday to version 79, resolving 51 vulnerabilities.

Adobe released updates for Adobe Acrobat Reader, Flash Player, Photoshop, Brackets and ColdFusion. Administrators will want to patch Acrobat Reader to close 21 vulnerabilities, 14 of which are rated critical. The company released an update for Flash Player but not for security reasons.

"Adobe is really winding down their focus on Adobe Flash," Goettl said. "I think it's safe to say that rather than it just no longer being vulnerable, Adobe is putting so little effort into it that it's not getting attention anymore. People should be focused on getting Flash Player out of their environments."

Dig Deeper on Windows Server OS and management