November 2019 Patch Tuesday: Actively exploited IE zero-day fixed
November 2019 Patch Tuesday comes with patches for an IE zero-day exploited by attackers in the wild and four Hyper-V escapes.
Microsoft updates
Microsoft has delivered fixes for 74 vulnerabilities in various products, 13 of which are deemed to be critical. The most notable ones in this batch are:
- CVE-2019-1429, a scripting engine memory corruption vulnerability that, according to researchers of the Google Threat Analysis Group, is being exploited in attacks in the wild to achieve remote code execution
- CVE-2019-16863, a flaw effecting STMicroelectronics Trusted Platform Module (TPM) chipsets, which impacts key confidentiality in the Elliptic Curve Digital Signature Algorithm (ECDSA).
The former can be triggered in several ways.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine,” Microsoft explained.
“The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”
Updating Internet Explorer should therefore be a priority, especially on workstations, as all current IE versions are affected.
CVE-2019-16863 does not affect any of Windows or a specific Microsoft application. The hole can be plugged through a TPM firmware update (more info here).
“If your system is affected and requires the installation of TPM firmware updates, you might need to re-enroll in security services you are running to remediate those affected services,” Microsoft pointed out.
Other security updates that should be prioritized are those for Hyper-V systems, as they fix four vulnerabilities that would allow a remote, authenticated user on a guest system to run arbitrary code on the host system, and those for Microsoft Exchange.
“Bugs in Exchange Server are always interesting on some level, and [CVE-2019-1373] certainly doesn’t disappoint. The patch corrects a vulnerability in the deserialization of metadata via PowerShell. To exploit this, an attacker would need to convince a user to run cmdlets via PowerShell. While this may be an unlikely scenario, it only takes one user to compromise the server. If that user has administrative privileges, they could hand over complete control to the attacker,” noted Trend Micro ZDI’s Dustin Childs.
Finally, Microsoft has also finally provided a fix for CVE-2019-1457, a vulnerability that could allow attackers to leverage XLM macros to execute arbitrary code on a vulnerable system (more info here).
As usual, SANS ISC has a helpful “at a glance” overview about all the issues fixed.
Adobe updates
Adobe has plugged critical and important security holes in Illustrator CC (vector graphics editor), Media Encoder, Animate CC (animation software) and Bridge CC (asset manager).
The Illustrator update fixes three flaws, two of which are memory corruption issues that could allow code execution. The Media Encoder update nixes 5 vulnerabilities, one of which is critical (could lead to code execution).
The Bridge and Animate updates are less critical, but users are advised to implement them as soon as they can.
The good news is that none of the vulnerabilities fixed in this latest batch of Adobe updates are under active exploitation so, for the moment, Microsoft’s updates should definitely take precedence.