patch tuesday
Threat Research

Microsoft released their monthly security updates for November, 2019, this morning. This month, Microsoft said the company fixed a total of 73 vulnerabilities across its product lines. Thirteen of the fixes address problems Microsoft classifies as Critical, the most urgent type of problem to address. The company classified the repair of an additional 59 bugs as Important.

Bugs discovered in the Hyper-V hypervisor were the most numerous this month. Microsoft fixed 9 Hyper-V vulnerabilities, five of which could potentially have been leveraged during an attack to perform remote code execution. The remaining fixes target a group of components that routinely get security updates: the Jet Database Engine, the Microsoft Office360 suite, various scripting engines (VBScript and Chakra), and the Windows kernel (Win32k, GDI, WSL).

The fixes in these other components also span the gamut, addressing things ranging from relatively-mundane information leaks, to privilege elevation, to the potential for remote code execution.

As has been the case recently, Adobe synchronized the release of its ADV190026 (Critical) security update advisory about Flash Player to Patch Tuesday as well. The updates for Adobe products come from Adobe and may not be updated as part of the Windows Update process.

SophosLabs has broken down the most critical bits of the November 2019 edition of Patch Tuesday you need to be aware of:

Hyper-V

(CVE-2019-0712, -0719, -0721, -1309, -1310, -1389, -1397, -1398, -1399)

Although the past several months were dominated by patches around RDP, this month update has a noticeably large number of Hyper-V patches. A few of the repaired vulnerabilities (CVE-2019-0719, -0721) fix a problem in the Hyper-V VmSwitch, which in its pre-patch state might permit an attacker to execute code on the host operating system.

What Microsoft refers to as a failure to properly validate input from an authenticated user on a guest operating system we more colloquially describe as a VM escape, where malicious code running on a VM can jump out of the virtual environment of the VM, and onto the host machine. It’s a serious problem easily fixed by updating.

Windows kernel

(CVE-2019-1393, -1394, -1395, -1396, -1408, -1434, -1436, -1440, -1441)

Microsoft found and fixed several memory corruption vulnerabilities in the Win32k and GDI kernel components. Although those vulnerabilities vary by their nature (eg., use-after-free, or buffer overflow), their successful exploitation would allow an attacker to locally elevate their privileges; or in the case of a remote scenario (and coupled with, at least, a browser exploit) such vulnerabilities could be triggered remote and allow a browser sandbox escape, giving full control of the affected computer to the attacker.

Windows Subsystem for Linux

(CVE-2019-1416)

Although the company gave us no in-depth details about this vulnerability, Microsoft has deemed this vulnerability in the Windows Subsystem for Linux (WSL) component of Windows significant enough to merit an ‘Important’ categorization, and a patch.

The vulnerability itself is a race condition in Windows Subsystem for Linux, which (upon success) could allow a locally-authenticated attacker to execute privileged code.

Scripting engines

(CVE-2019-1390, -1426, -1427, -1428, -1429)

As usual, a variety of components from Microsoft’s Web browser engines (Internet Explorer / Edge / Chakra / VBScript) were not spared updates. Several vulnerabilities were found, some of which could lead to code execution simply by visiting a page.

Detection guidance

Sophos endpoint and network protection products have released the following signatures designed to detect exploit attempts against the vulnerabilities listed below.

CVE

SAV IPS
CVE-2019-1390 Exp/20191390-A 2301155
CVE-2019-1429 Exp/20191429-A 2301156

How long does it take to have Sophos detection in place?
We aim to add detection to critical issues based on the type and nature of the vulnerabilities as soon as possible. In many cases, existing detections will catch exploit attempts without the need for updates.

 

What if the vulnerability/0-day you’re looking for is not listed here?
If we haven’t released an update for a specific exploit, the most likely reason is that we did not receive the data that shows how the exploit works in the real world. As many of this month’s exploits were crafted in a lab and have not been seen in the wild, nobody has enough information (yet) about how criminals would, hypothetically, exploit any given vulnerability. If or when we receive information about real attacks, we will create new detections, as needed.