Microsoft’s December 2019 Security Update Fixes 38 Security Vulnerabilities

Microsoft’s December 2019 Security Update Fixes 38 Security Vulnerabilities

December 30, 2019 | Mina Hao

Overview

Microsoft released 2019 December security update on Tuesday that fixes 38 security issues ranging from simple spoofing attacks to remote code execution in various products, including End of Life Software, Microsoft Graphics Component, Microsoft Office, Microsoft Scripting Engine, Microsoft Windows, None, Open Source Software, Servicing Stack Updates, Skype for Business, SQL Server, Visual Studio, Windows Hyper-V, Windows Kernel, Windows Media Player, and Windows OLE.

Of the vulnerabilities fixed by Microsoft’s update of this month, seven are critical, which are located in Hyper-V, Windows font library, and Visual Studio. In addition, some of those vulnerabilities are important ones.

Critical Vulnerabilities

The following are seven critical vulnerabilities covered in this update.

CVE-2019-1468

This is a remote code execution vulnerability in the Windows font library, which stems from the library’s inability to properly handle certain embedded fonts. Via a specially crafted malicious embedded font on a web page, an attacker could exploit this vulnerability to persuade users to visit the web page or open a specially crafted font file on their computer to execute code remotely.

 

For more details about the vulnerability and related updates, please refer to Microsoft’s official security bulletins:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1468

CVE-2019-1471

This is a remote code execution vulnerability in the Hyper-V hypervisor. Sometimes, Hyper-V may fail to properly validate input by authenticated users on the guest operating system. An attacker could exploit this vulnerability by running a specially designed application on the guest OS, which would allow the Hyper-V host OS to execute arbitrary code on the host operating system.

 

For more details about the vulnerability and related updates, please refer to Microsoft’s official security bulletins:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1471

 

Visual Studio

There are several key vulnerabilities in Git for Visual Studio (CVE-2019-1349, CVE-2019-1350, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387).

Git for Visual Studio has an input validation issue which could lead to a remote code execution vulnerability. An attacker who successfully exploits this vulnerability could take control of an affected system. An attacker could then install programs, view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker first needs to convince users to clone a malicious repository.

 

For more details about the vulnerability and related updates, please refer to Microsoft’s official security bulletins:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1349

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1350

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1352

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1354

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1387

 

Important Vulnerabilities

In addition to two critical vulnerabilities, this update also covers multiple important vulnerabilities, three of which require special attention.

CVE-2019-1458

This is a privilege elevation vulnerability in the Windows Win32k component. An attacker could exploit this vulnerability by logging into the system and then running a specially designed application, thus taking full control of the system and executing arbitrary code in kernel mode. Microsoft reports that this vulnerability has been widely exploited in the wild.

For more details about the vulnerability and related updates, please refer to Microsoft’s official security bulletins:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458

CVE-2019-1469

This is an information disclosure vulnerability in Windows which is derived from the fact that the win32k component sometimes cannot provide kernel information. An attacker could exploit this vulnerability to obtain uninitialized memory and kernel memory and then use it for other attacks.

For more details about the vulnerability and related updates, please refer to Microsoft’s official security bulletins:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1469

 

CVE-2019-1485

This is a remote code execution vulnerability in the VBscript engine. An attacker could exploit this vulnerability to corrupt the memory of an affected system, resulting in arbitrary code execution in the context of the current user. To trigger this vulnerability, users must visit a specially designed malicious website in an Internet Explorer browser. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the Internet Explorer rendering engine, and then convince the user to open the file.

For more details about the vulnerability and related updates, please refer to Microsoft’s official security bulletins:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1485

 

 

Remediation

Bugs fixed in this update are shown in the following table:

Product CVE ID CVE Title Severity Level
End of Life Software CVE-2019-1489 Remote Desktop Protocol Information Disclosure Vulnerability Important
Microsoft Graphics Component CVE-2019-1465 Windows GDI Information Disclosure Vulnerability Important
Microsoft Graphics Component CVE-2019-1466 Windows GDI Information Disclosure Vulnerability Important
Microsoft Graphics Component CVE-2019-1467 Windows GDI Information Disclosure Vulnerability Important
Microsoft Graphics Component CVE-2019-1468 Win32k Graphics Remote code execution vulnerability Critical
Microsoft Office CVE-2019-1400 Microsoft Access Information Disclosure Vulnerability Important
Microsoft Office CVE-2019-1461 Microsoft Word Denial of service vulnerability Important
Microsoft Office CVE-2019-1462 Microsoft PowerPoint Remote code execution vulnerability Important
Microsoft Office CVE-2019-1463 Microsoft Access Information Disclosure Vulnerability Important
Microsoft Office CVE-2019-1464 Microsoft Excel Information Disclosure Vulnerability Important
Microsoft Scripting Engine CVE-2019-1485 VBScript Remote code execution vulnerability Important
Microsoft Windows CVE-2019-1453 Windows Remote Desktop Protocol (RDP) Denial of service vulnerability Important
Microsoft Windows CVE-2019-1474 Windows Kernel Information Disclosure Vulnerability Important
Microsoft Windows CVE-2019-1483 Windows Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2019-1488 Microsoft Defender Security Function Bypass Vulnerability Important
Microsoft Windows CVE-2019-1476 Windows Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2019-1477 Windows Printer Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2019-1478 Windows COM Server Elevation of Privilege Vulnerability Important
None ADV190026 Microsoft Guidance for cleaning up orphaned keys generated on vulnerable TPMs and used for Windows Hello for Business
Open Source Software CVE-2019-1487 Microsoft Authentication Library for Android Information Disclosure Vulnerability Important
Servicing Stack Updates ADV990001 Latest Servicing Stack Updates Critical
Skype for Business CVE-2019-1490 Skype for Business Server Fraud Important
SQL Server CVE-2019-1332 Microsoft SQL Server Reporting Services XSS Vulnerability Important
Visual Studio CVE-2019-1349 Git for Visual Studio Remote code execution vulnerability Critical
Visual Studio CVE-2019-1350 Git for Visual Studio Remote code execution vulnerability Critical
Visual Studio CVE-2019-1351 Git for Visual Studio Tampering Vulnerability Moderate
Visual Studio CVE-2019-1352 Git for Visual Studio Remote code execution vulnerability Critical
Visual Studio CVE-2019-1354 Git for Visual Studio Remote code execution vulnerability Critical
Visual Studio CVE-2019-1387 Git for Visual Studio Remote code execution vulnerability Critical
Visual Studio CVE-2019-1486 Visual Studio Live Share Fraud Important
Windows Hyper-V CVE-2019-1470 Windows Hyper-V Information Disclosure Vulnerability Important
Windows Hyper-V CVE-2019-1471 Windows Hyper-V Remote code execution vulnerability Critical
Windows Kernel CVE-2019-1472 Windows Kernel Information Disclosure Vulnerability Important
Windows Kernel CVE-2019-1458 Win32k Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2019-1469 Win32k Information Disclosure Vulnerability Important
Windows Media Player CVE-2019-1480 Windows Media Player Information Disclosure Vulnerability Important
Windows Media Player CVE-2019-1481 Windows Media Player Information Disclosure Vulnerability Important
Windows OLE CVE-2019-1484 Windows OLE Remote code execution vulnerability Important

 

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1490
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Skype for Business Server 2019 CU2 4534761 Security Update Important Spoofing Base: N/A
Temporal: N/A
Vector: N/A
Yes

 

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Information Technology Co. Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.

Download: ‘s December 2019 Security Update Fixes 38 Security Vulnerabilities