Overview
Microsoft released 2019 December security update on Tuesday that fixes 38 security issues ranging from simple spoofing attacks to remote code execution in various products, including End of Life Software, Microsoft Graphics Component, Microsoft Office, Microsoft Scripting Engine, Microsoft Windows, None, Open Source Software, Servicing Stack Updates, Skype for Business, SQL Server, Visual Studio, Windows Hyper-V, Windows Kernel, Windows Media Player, and Windows OLE.
Of the vulnerabilities fixed by Microsoft’s update of this month, seven are critical, which are located in Hyper-V, Windows font library, and Visual Studio. In addition, some of those vulnerabilities are important ones.
Critical Vulnerabilities
The following are seven critical vulnerabilities covered in this update.
CVE-2019-1468
This is a remote code execution vulnerability in the Windows font library, which stems from the library’s inability to properly handle certain embedded fonts. Via a specially crafted malicious embedded font on a web page, an attacker could exploit this vulnerability to persuade users to visit the web page or open a specially crafted font file on their computer to execute code remotely.
For more details about the vulnerability and related updates, please refer to Microsoft’s official security bulletins:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1468
CVE-2019-1471
This is a remote code execution vulnerability in the Hyper-V hypervisor. Sometimes, Hyper-V may fail to properly validate input by authenticated users on the guest operating system. An attacker could exploit this vulnerability by running a specially designed application on the guest OS, which would allow the Hyper-V host OS to execute arbitrary code on the host operating system.
For more details about the vulnerability and related updates, please refer to Microsoft’s official security bulletins:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1471
Visual Studio
There are several key vulnerabilities in Git for Visual Studio (CVE-2019-1349, CVE-2019-1350, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387).
Git for Visual Studio has an input validation issue which could lead to a remote code execution vulnerability. An attacker who successfully exploits this vulnerability could take control of an affected system. An attacker could then install programs, view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker first needs to convince users to clone a malicious repository.
For more details about the vulnerability and related updates, please refer to Microsoft’s official security bulletins:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1349
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1350
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1352
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1354
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1387
Important Vulnerabilities
In addition to two critical vulnerabilities, this update also covers multiple important vulnerabilities, three of which require special attention.
CVE-2019-1458
This is a privilege elevation vulnerability in the Windows Win32k component. An attacker could exploit this vulnerability by logging into the system and then running a specially designed application, thus taking full control of the system and executing arbitrary code in kernel mode. Microsoft reports that this vulnerability has been widely exploited in the wild.
For more details about the vulnerability and related updates, please refer to Microsoft’s official security bulletins:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458
CVE-2019-1469
This is an information disclosure vulnerability in Windows which is derived from the fact that the win32k component sometimes cannot provide kernel information. An attacker could exploit this vulnerability to obtain uninitialized memory and kernel memory and then use it for other attacks.
For more details about the vulnerability and related updates, please refer to Microsoft’s official security bulletins:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1469
CVE-2019-1485
This is a remote code execution vulnerability in the VBscript engine. An attacker could exploit this vulnerability to corrupt the memory of an affected system, resulting in arbitrary code execution in the context of the current user. To trigger this vulnerability, users must visit a specially designed malicious website in an Internet Explorer browser. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the Internet Explorer rendering engine, and then convince the user to open the file.
For more details about the vulnerability and related updates, please refer to Microsoft’s official security bulletins:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1485
Remediation
Bugs fixed in this update are shown in the following table:
| Product | CVE ID | CVE Title | Severity Level |
| End of Life Software | CVE-2019-1489 | Remote Desktop Protocol Information Disclosure Vulnerability | Important |
| Microsoft Graphics Component | CVE-2019-1465 | Windows GDI Information Disclosure Vulnerability | Important |
| Microsoft Graphics Component | CVE-2019-1466 | Windows GDI Information Disclosure Vulnerability | Important |
| Microsoft Graphics Component | CVE-2019-1467 | Windows GDI Information Disclosure Vulnerability | Important |
| Microsoft Graphics Component | CVE-2019-1468 | Win32k Graphics Remote code execution vulnerability | Critical |
| Microsoft Office | CVE-2019-1400 | Microsoft Access Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2019-1461 | Microsoft Word Denial of service vulnerability | Important |
| Microsoft Office | CVE-2019-1462 | Microsoft PowerPoint Remote code execution vulnerability | Important |
| Microsoft Office | CVE-2019-1463 | Microsoft Access Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2019-1464 | Microsoft Excel Information Disclosure Vulnerability | Important |
| Microsoft Scripting Engine | CVE-2019-1485 | VBScript Remote code execution vulnerability | Important |
| Microsoft Windows | CVE-2019-1453 | Windows Remote Desktop Protocol (RDP) Denial of service vulnerability | Important |
| Microsoft Windows | CVE-2019-1474 | Windows Kernel Information Disclosure Vulnerability | Important |
| Microsoft Windows | CVE-2019-1483 | Windows Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2019-1488 | Microsoft Defender Security Function Bypass Vulnerability | Important |
| Microsoft Windows | CVE-2019-1476 | Windows Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2019-1477 | Windows Printer Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2019-1478 | Windows COM Server Elevation of Privilege Vulnerability | Important |
| None | ADV190026 | Microsoft Guidance for cleaning up orphaned keys generated on vulnerable TPMs and used for Windows Hello for Business | |
| Open Source Software | CVE-2019-1487 | Microsoft Authentication Library for Android Information Disclosure Vulnerability | Important |
| Servicing Stack Updates | ADV990001 | Latest Servicing Stack Updates | Critical |
| Skype for Business | CVE-2019-1490 | Skype for Business Server Fraud | Important |
| SQL Server | CVE-2019-1332 | Microsoft SQL Server Reporting Services XSS Vulnerability | Important |
| Visual Studio | CVE-2019-1349 | Git for Visual Studio Remote code execution vulnerability | Critical |
| Visual Studio | CVE-2019-1350 | Git for Visual Studio Remote code execution vulnerability | Critical |
| Visual Studio | CVE-2019-1351 | Git for Visual Studio Tampering Vulnerability | Moderate |
| Visual Studio | CVE-2019-1352 | Git for Visual Studio Remote code execution vulnerability | Critical |
| Visual Studio | CVE-2019-1354 | Git for Visual Studio Remote code execution vulnerability | Critical |
| Visual Studio | CVE-2019-1387 | Git for Visual Studio Remote code execution vulnerability | Critical |
| Visual Studio | CVE-2019-1486 | Visual Studio Live Share Fraud | Important |
| Windows Hyper-V | CVE-2019-1470 | Windows Hyper-V Information Disclosure Vulnerability | Important |
| Windows Hyper-V | CVE-2019-1471 | Windows Hyper-V Remote code execution vulnerability | Critical |
| Windows Kernel | CVE-2019-1472 | Windows Kernel Information Disclosure Vulnerability | Important |
| Windows Kernel | CVE-2019-1458 | Win32k Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2019-1469 | Win32k Information Disclosure Vulnerability | Important |
| Windows Media Player | CVE-2019-1480 | Windows Media Player Information Disclosure Vulnerability | Important |
| Windows Media Player | CVE-2019-1481 | Windows Media Player Information Disclosure Vulnerability | Important |
| Windows OLE | CVE-2019-1484 | Windows OLE Remote code execution vulnerability | Important |
Affected Software
The following tables list the affected software details for the vulnerability.
| CVE-2019-1490 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Skype for Business Server 2019 CU2 | 4534761 Security Update | Important | Spoofing | Base: N/A Temporal: N/A Vector: N/A |
Yes | |
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Information Technology Co. Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.
Download: ‘s December 2019 Security Update Fixes 38 Security Vulnerabilities
