Today is Microsoft's December 2019 Patch Tuesday, which means it is your job to be nice to Windows administrators everywhere and not to take it personal if they are a bit grouchy today.
With the release of the December 2019 security updates, Microsoft has released 2 advisories and updates for 36 vulnerabilities. Of these vulnerabilities, 7 are classified as Critical, 27 as Important, 1 as Moderate, and one as Low.
One of the 'Important' vulnerabilities fixed today is a zero-day privilege elevation vulnerability that was discovered being actively exploited in the wild.
All users should install these security updates as soon as possible in order to protect Windows from known security risks.
For information about the non-security Windows updates, you can read about today's Windows 10 December 2019 Cumulative Updates.
Zero-day privilege elevation vulnerability in Win32k fixed
The December 2019 Patch Tuesday fixes an zero-day privilege elevation vulnerability in the Win32k component that Kaspersky Lab researchers Anton Ivanov and Alexey Kulaev discovered being actively exploited.
This vulnerability is titled "CVE-2019-1458 | Win32k Elevation of Privilege Vulnerability" and could allow an attacker to execute commands in kernel mode, which means that it has full access to the operating system.
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
The update addresses this vulnerability by correcting how Win32k handles objects in memory.
This Windows vulnerability was chained together with a Chrome zero-day as part of an attack called Operation WizardOpium that Kaspersky detected last month.
Two advisories released
In addition to the security updates, Microsoft also released two advisories today. Once is a servicing stack update and the other is guidance on how to remove orphaned Windows Hello for Business (WHfB) public keys that were created by vulnerable TPM devices.
-
ADV190026 - Microsoft Guidance for cleaning up orphaned keys generated on vulnerable TPMs and used for Windows Hello for Business
-
ADV990001 - Latest Servicing Stack Updates
The December 2019 Patch Tuesday Security Updates
Below is the full list of resolved vulnerabilities and released advisories in the December 2019 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report here.
| Tag | CVE ID | CVE Title | Severity |
|---|---|---|---|
| ADV190026 | Microsoft Guidance for cleaning up orphaned keys generated on vulnerable TPMs and used for Windows Hello for Business | Unknown | |
| End of Life Software | CVE-2019-1489 | Remote Desktop Protocol Information Disclosure Vulnerability | Important |
| Microsoft Graphics Component | CVE-2019-1465 | Windows GDI Information Disclosure Vulnerability | Important |
| Microsoft Graphics Component | CVE-2019-1468 | Win32k Graphics Remote Code Execution Vulnerability | Critical |
| Microsoft Graphics Component | CVE-2019-1466 | Windows GDI Information Disclosure Vulnerability | Important |
| Microsoft Graphics Component | CVE-2019-1467 | Windows GDI Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2019-1400 | Microsoft Access Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2019-1464 | Microsoft Excel Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2019-1461 | Microsoft Word Denial of Service Vulnerability | Important |
| Microsoft Office | CVE-2019-1462 | Microsoft PowerPoint Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2019-1463 | Microsoft Access Information Disclosure Vulnerability | Important |
| Microsoft Scripting Engine | CVE-2019-1485 | VBScript Remote Code Execution Vulnerability | Low |
| Microsoft Windows | CVE-2019-1453 | Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability | Important |
| Microsoft Windows | CVE-2019-1476 | Windows Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2019-1477 | Windows Printer Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2019-1474 | Windows Kernel Information Disclosure Vulnerability | Important |
| Microsoft Windows | CVE-2019-1478 | Windows COM Server Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2019-1483 | Windows Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2019-1488 | Microsoft Defender Security Feature Bypass Vulnerability | Important |
| Open Source Software | CVE-2019-1487 | Microsoft Authentication Library for Android Information Disclosure Vulnerability | Important |
| Servicing Stack Updates | ADV990001 | Latest Servicing Stack Updates | Critical |
| Skype for Business | CVE-2019-1490 | Skype for Business Server Spoofing Vulnerability | Important |
| SQL Server | CVE-2019-1332 | Microsoft SQL Server Reporting Services XSS Vulnerability | Important |
| Visual Studio | CVE-2019-1350 | Git for Visual Studio Remote Code Execution Vulnerability | Critical |
| Visual Studio | CVE-2019-1349 | Git for Visual Studio Remote Code Execution Vulnerability | Critical |
| Visual Studio | CVE-2019-1486 | Visual Studio Live Share Spoofing Vulnerability | Important |
| Visual Studio | CVE-2019-1387 | Git for Visual Studio Remote Code Execution Vulnerability | Critical |
| Visual Studio | CVE-2019-1354 | Git for Visual Studio Remote Code Execution Vulnerability | Critical |
| Visual Studio | CVE-2019-1351 | Git for Visual Studio Tampering Vulnerability | Moderate |
| Visual Studio | CVE-2019-1352 | Git for Visual Studio Remote Code Execution Vulnerability | Critical |
| Windows Hyper-V | CVE-2019-1471 | Windows Hyper-V Remote Code Execution Vulnerability | Critical |
| Windows Hyper-V | CVE-2019-1470 | Windows Hyper-V Information Disclosure Vulnerability | Important |
| Windows Kernel | CVE-2019-1472 | Windows Kernel Information Disclosure Vulnerability | Important |
| Windows Kernel | CVE-2019-1458 | Win32k Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2019-1469 | Win32k Information Disclosure Vulnerability | Important |
| Windows Media Player | CVE-2019-1480 | Windows Media Player Information Disclosure Vulnerability | Important |
| Windows Media Player | CVE-2019-1481 | Windows Media Player Information Disclosure Vulnerability | Important |
| Windows OLE | CVE-2019-1484 | Windows OLE Remote Code Execution Vulnerability | Important |
Comments
noelprg4 - 4 years ago
Oh no - the newly released KB4530734 cumulative rollup update of December 2019 (which fixes the recent security flaws mentioned here) now includes EOL notifications when continuing use of Win7 after the Jan. 14, 2020 EOL date:
https://support.microsoft.com/en-us/help/4530734/windows-7-update-kb4530734
"IMPORTANT Starting on January 15, 2020, a full-screen notification will appear that describes the risk of continuing to use Windows 7 Service Pack 1 after it reaches end of support on January 14, 2020. The notification will remain on the screen until you interact with it."
jmwoods - 4 years ago
The ADV990001 link in the article does not match the dates from Microsoft's ADV990001 link.
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001
The article is showing SSU's for September...MS for November.