Microsoft December Patch Commentary by Tenable

Microsoft sent administrators around the world an early holiday gift with a lighter-than-usual Patch Tuesday. The December 2019 Patch Tuesday contains updates for 36 CVEs, seven of which are rated as critical. This month’s updates include patches for Microsoft Windows, Microsoft Office, Internet Explorer, SQL Server, Visual Studio, and Skype for Business. The following is a breakdown of the most important CVEs from this month’s release.

“This month’s Patch Tuesday release contains updates for 36 CVEs. One of the most notable vulnerabilities in this month’s release is CVE-2019-1458, an elevation of privilege vulnerability in Win32k, which has been exploited in the wild as a zero-day. An attacker could exploit the flaw to execute arbitrary code in kernel mode on the victim’s system. From there, the attacker could perform a variety of actions, such as creating a new account with full user rights, installing programs, and viewing, changing or deleting data. However, to exploit the flaw, an attacker would need to have previously compromised the system using another vulnerability in order to elevate privileges. It is also important to note this flaw affects Windows 7 and Windows Server 2008, both of which will no longer receive security updates after January 14, 2020.

Depending on the victim’s user privileges, an attacker could use a remote code execution vulnerability in Win32k Graphics (CVE-2019-1468) to create a new account with full user rights, install programs, and view, change or delete data. To exploit the flaw, an attacker could use social engineering tactics to either convince their victim to visit a specially-crafted website containing the exploit code, or by embedding the exploit code in a specially-crafted document and enticing their victim to open it.

CVE-2019-1471, a remote code execution vulnerability in Windows Hyper-V, exists due to improper validation of inputs from an authenticated user on the guest operating system by the host server. To exploit the vulnerability, an attacker would need to run a specially-crafted application on the guest operating system, resulting in the execution of arbitrary code on the host operating system.” said Satnam Narang, Senior Research Engineer, Tenable.