Welcome to December's Patch Tuesday breakdown.
This month, Microsoft has released fixes for 36 vulnerabilities: 27 are ranked as “Important” and 7 are “Critical.” One of the important updates resolved this month is a zero-day privilege elevation vulnerability that is being actively exploited in the wild.
While December's security update may be one of the smallest updates we've seen in a while, it is crucial that these vulnerabilities get resolved in a timely manner – especially when there's a zero-day on the table. With major holidays right around the corner, taking the time to make sure your networks are secure is essential. While you are thinking about holiday shopping or taking some well-earned time off this season, malicious actors are thinking about shopping for their next victim and taking whatever they can get. Patching vulnerabilities is a primary line of defense, and keeping tabs on your patch status is crucial to having good cyber hygiene this holiday season. Microsoft suggests applying patches as soon as possible.
With support for Windows 7 ending on January 14, 2020, Microsoft also cautions that non-upgraded devices will be “more vulnerable to viruses and malware” due to the absence of security and software updates. Microsoft strongly encourages users to consider upgrading their OS. While not every machine can be upgraded, there are steps you can take to protect those endpoints.
For December, Adobe has also released security updates addressing a bevy of critical vulnerabilities in a number of popular applications, including Adobe Acrobat, Reader and Photoshop CC. Apple also released a series of security updates for this month. Overall, December is looking like a light month in terms of patches, but it's important to make sure you haven't forgotten about November's critical security updates after surviving a Thanksgiving food coma. See last month's breakdown for more on November's Patch Tuesday update.
Microsoft fixes zero day vulnerability with December Patch Tuesday
Researchers from Kaspersky Lab are credited with discovering the latest zero day for Microsoft. Known as CVE-2019-1458, it is a privilege elevation vulnerability that exists in Win32k and is actively being exploited in the wild. According to Microsoft, this vulnerability occurs when Win32k fails to handle objects in memory properly. Attackers can exploit this weakness by logging into the system and then running a specially designed application that could exploit the vulnerability and take control of the system.
If successful, the attackers could then run arbitrary code in kernel mode – which means they have full access to the operating system.
From there, they can install programs, view and change data and create new accounts with full user privileges. The update from Microsoft resolves the issue with Win32k by correcting how it handles objects in memory.
More updates from Microsoft
Microsoft has released 36 security updates for this month, seven of which are rated “critical.” These include:
CVE-2019-1468 is a critical Win32k Graphics remote code execution vulnerability that exists when Windows font library incorrectly handles specially crafted embedded fonts. This vulnerability can be exploited in a couple different ways:
- File-sharing attack: A malicious creates a special document designed to target this vulnerability, and then convinces a user to open the document file.
- Web-based attack: An attacker hosts a website specifically designed to exploit this vulnerability, and then convinces users to view the webpage. The bad actor cannot force users to view the malicious website; instead, the attacker must trick the user into taking action. Most often, this includes sending a link or attachment through email or an instant message.
If successful, attackers can exploit this vulnerability to gain access to private data that may allow them to seize control of the victim system. From there, they can install programs, view or change data, or create new user accounts with full privileges. December's security update fixes this issue by changing how the Windows font library handles embedded fonts.
CVE-2019-1471 is a remote code execution vulnerability that exists in Windows HyperV on a host server when HyperV fails to correctly validate input from authenticated users. Attackers can exploit this vulnerability with a targeted application that causes HyperV host to run arbitrary code.
CVE-2019-1349, -1350, -1352, -1354 and -1387 are also remote code execution vulnerabilities that exist in Git for Visual Studio when inputs are improperly sanitized. To exploit these vulnerabilities, attackers would need to first convince (or trick) a user into cloning a malicious repository.
All iterations of Microsoft Visual Studio 2017 versions 15.0 and 15.9 and Microsoft Visual Studio 2019 versions 16.0 and 16.4 are affected by these vulnerabilities.
The vulnerability in Git for Visual Studio is of particular concern because it is one of the most popular developmental environments for application building and design – which surely puts a target on engineering organizations.
It is also important to note that support for Windows 7 is ending in January 2020, which will soon be upon us. Upgrading your operating systems can be challenging, but it is necessary for good cyber hygiene. An OS that is no longer getting security updates is an OS that is going to put your organization's cybersecurity at risk. While support from Microsoft may end, malicious actors will still be able to target older systems that are no longer getting patched.
Other security updates for December
Adobe released a host of critical security updates this month, addressing security issues in a number of widely used applications including: Acrobat, Reader, Photoshop CC, Brackets and ColdFusion.
For the update on Adobe Reader and Acrobat alone (APSB19-55), a total of 21 vulnerabilities are getting resolved this month – 14 of which are rated “critical” because they could lead to arbitrary code execution. The remaining 7 updates are ranked as “Important” as they could lead to privilege escalation or information disclosure.
An update for Photoshop CC (APSB19-56) fixes two critical memory corruption vulnerabilities that could lead to arbitrary code execution.
The ColdFusion update (APSB19-58) resolves a privilege escalation vulnerability created by “insecure inherited permissions for the default installation directory.” And a security update (APSB19-57) for Brackets addresses a critical vulnerability that could be used to allow attackers to perform command injection that leads to arbitrary code execution.
To correct these security issues, Adobe recommends updating to the latest version of each application.
This month, Apple has also released a number of security updates which are available for macOS Catalina, Mojave and High Sierra, as well as updates for Safari, Apple Watch and iOS for iPhone and iPad. Fixes for macOS this month include resolutions for arbitrary code execution, privilege escalation and denial of service vulnerabilities, along with other issues.
For December, Firefox 71, Firefox ESR 68.3 and Thunderbird 68.3 also got a series of significant security updates, ranging in severity from medium to high. This month's fixes include a number of memory safety bugs in Firefox, with a group of Mozilla developers reporting that some of these vulnerabilities show signs of memory corruption. The developers add, “[W]e presume that with enough effort some of these could have been exploited to run arbitrary code.”
While December's Patch Tuesday is light in terms of volume, the importance of timely patching is as critical as ever. As the holidays approach, keeping your organization up-to-date on all things related to cybersecurity is essential. Attackers know that the holiday season is a great time to look for targets: Not only are more people working remote during the holidays, there's a greater chance for malicious actors to go unnoticed. People are taking time off, and your IT department may be understaffed – which means they may not be able to notice or respond to threats fast enough. Automating patch management and bolstering endpoint visibility through a cross-platform patch management solution can help organizations fill in the gaps in their cybersecurity game year-round, while making the process of patching more effective and efficient.
About Automox Automated Patch Management
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.