December 2019’s Patch Tuesday updates are out, and for the most part, it’s the usual undemanding Christmas load for admins to browse through.
All told, there are 36 CVE-level vulnerabilities, seven of which are marked ‘critical’, 27 important, and one each for low and moderate.
Predictably, the critical flaws are all remote code execution (RCE) flaws, five relating to Git for Visual Studio, one in Hyper-V, and one in the Win32k Graphics subsystem.
The award for most interesting flaw of the month goes to CVE-2019-1458, an elevation of privilege zero-day in the W32k component that’s being exploited in the wild.
The assessment that this is ‘important’ rather than ‘critical’ is misleading given unconfirmed speculation that attackers are using it in conjunction with CVE-2019-13720, a use-after-free zero-day in Google Chrome versions prior to 78.0.3904.87, publicised in October.
The campaign behind their use was labelled Operation WizardOpium and linked to the Lazarus Group that was recently discovered to be separately targeting macOS users with ‘fileless’ malware.
The good news is that the Chrome flaw has already been patched, which just leaves admins to do the same for its apparent Microsoft companion flaw.
The RDP flaw with no patch
A curiosity this month is CVE-2019-1489 – the latest in long a line of Remote Desktop Protocol (RDP) bugs. What’s unexpected is that it affects Windows XP SP3, an operating system which stopped receiving automatic security fixes five years ago.
Unusually, Microsoft patched an RDP flaw in XP SP3 before in May, which at least raised the possibility that one might be offered in this case too. However, when we checked the Microsoft Update Catalogue for a manual patch for this, none was on offer. That’s because:
Microsoft will not provide an update for this vulnerability because Windows XP is out of support. Microsoft strongly recommends upgrading to a supported version of Windows software.
In other words, anyone suffering this flaw is on their own. Worse still, at least one security blogger thinks this flaw is probably being exploited on the basis of Microsoft’s ambiguous advisory.
SGX Plundervolt
Among 11 security advisories, Intel’s Patch Tuesday update features a fix for a research proof-of-concept attack on the company’s Software Guard eXtensions (SGX) enclave security implemented in all the company’s recent processors.
Identified as CVE-2019-11157, it’s been dubbed ‘PlunderVolt’ by the researchers who reported it to Intel earlier this year:
Intel recommends that users of the above Intel Processors update to the latest BIOS version provided by the system manufacturer that addresses these issues.
This is probably not a big deal for the average computer user but the advisory to look for is INTEL-SA-00289.
Adobe
Adobe Acrobat and Reader get fixes for 21 CVEs, 14 of which are RCEs and therefore rated critical. There’s also a smattering of security fixes for ColdFusion, Photoshop CC, Bridge CC, Media Encoder, Illustrator, and Animate, including several more rated critical.
Time to get patching.
Paul Wilder
Are they having any problems with people’s computers that have done the updates?