Administrators will need to focus on deploying fixes for an Internet Explorer zero-day and a Microsoft Excel bug as part of the November Patch Tuesday security updates.
Microsoft issued corrections for 75 vulnerabilities, 14 rated critical, in this month’s releases which also delivered fixes for Windows operating systems, Microsoft Office and Office 365 applications, Edge browser, Exchange Server, ChakraCore, Secure Boot, Visual Studio and Azure Stack.
In addition to these November Patch Tuesday updates, administrators should also look at the Google Chrome browser to fix a zero-day (CVE-2019-13720) reported by Kaspersky Labs researchers. Google corrected the flaw in build 78.0.3904.87 released on Oct. 31 for Windows, Mac and Linux systems.
Microsoft plugs Internet Explorer zero-day
The Internet Explorer zero-day (CVE-2019-1429), rated critical for Windows client systems and moderate for the server OS, covers the range of browsers from Internet Explorer 9 to 11. The flaw is a memory corruption vulnerability that could let an attacker execute code remotely on a system in the context of the current user. If that user is an administrator, then the attacker would gain full control of the system.
On a system run by a user with lower privileges, the attacker would need to do additional work through another exploit to elevate their privilege. Organizations that follow least privilege will be less susceptible to the exploit until administrators can roll out the update to Windows systems. Exposure to the zero-day can occur in several scenarios, from visiting a malicious website to opening an application or Microsoft Office document that contains the exploit.
“[There are] a few different ways to exploit [the IE zero-day], such as going to a site that allows user-contributed content like ads that can be injected with this type of malicious content to serve up the attack,” said Chris Goettl, director of product management and security at Ivanti, a security and IT management vendor based in South Jordan, Utah.
Organizations can take nontechnical measures, such as implement training that instructs users on how to avoid suspicious emails and websites, but the best way to prevent exploitation is to roll out the security update as quickly as possible because the vulnerability is under active attack, Goettl said.
Microsoft resolved a security feature bypass in Microsoft Excel 2016/2019 for macOS systems (CVE-2019-1457) rated important that had been publicly disclosed. The security update corrects a bug that did not enforce the macro settings for Excel documents. A user who opened a malicious Excel worksheet would trigger the exploit when it runs a macro. Microsoft’s advisory stipulated the preview pane is not an attack vector for this vulnerability.
Other security updates worth noting for November Patch Tuesday include:
- A critical servicing update to ChakraCore to correct three memory corruption bugs (CVE-2019-1426, CVE-2019-1427 and CVE-2019-1428) that affect the Microsoft Edge browser in client and server operating systems. The remote code execution vulnerability could let an attacker run arbitrary code in the context of the current user to obtain the same user rights.
- A remote code execution vulnerability in Exchange Server 2013/2016/2019 (CVE-2019-1373) that would let an attacker run arbitrary code. The exploit requires a user to run a PowerShell cmdlet. The update corrects how Exchange serializes its metadata.
- A critical remote code execution vulnerability (CVE-2019-1419) in all supported Windows versions related to OpenType font parsing in the Windows Adobe Type Manager Library. An attacker could exploit the bug either by having a user open a malicious document or go to a website embedded with specially crafted OpenType fonts.
- Microsoft resolved nine vulnerabilities affecting the Hyper-V virtualization platform. CVE-2019-0719, CVE-2019-0721, CVE-2019-1389, CVE-2019-1397 and CVE-2019-1398 relate to critical remote code execution bugs. CVE-2019-0712, CVE-2019-1309, CVE-2019-1310 and CVE-2019-1399 are denial-of-service flaws rated important.
Microsoft shares information on Trusted Platform Module bug
Chris GoettlDirector of product management and security, Ivanti
Microsoft also issued an advisory (ADV190024) for a vulnerability (CVE-2019-16863) in the Trusted Platform Module (TPM) firmware. The company indicated there is no patch because the flaw is not in the Windows OS or a Microsoft application, but rather in certain TPM chipsets. Microsoft said users should contact their TPM manufacturer for further information.
TPM chips stop unauthorized modifications to hardware and use cryptographic keys to detect tampering in firmware and the operating system.
“Other software or services you are running might use this algorithm. Therefore, if your system is affected and requires the installation of TPM firmware updates, you might need to reenroll in security services you are running to remediate those affected services,” the advisory said.
The flaw affects TPM firmware based on the Trusted Computing Guidelines specification family 2.0, according to Microsoft.
Microsoft releases more servicing stack updates
For the third month in a row, Microsoft released updates for the servicing stack for Windows client and server operating systems. Microsoft does not typically give a clear deadline when a servicing stack needs to be applied but has given as little as two months in some instances, Goettl said.
Servicing stack updates are not part of the cumulative updates for Windows but rather are installed separately.
Researchers say first BlueKeep exploit attempts underway
In security news beyond the November Patch Tuesday security updates, the first reports of the BlueKeep exploit targeting users began at the end of October when security researcher Kevin Beaumont spotted hacking attempts using the RDP flaw on his honeypots and reported the findings on his blog.
On May Patch Tuesday, Microsoft corrected the critical remote code execution flaw (CVE-2019-0708) dubbed BlueKeep that affects Windows 7 and Windows Server 2008/2008R2 systems. Due to the “wormable” nature of the vulnerability, many in IT felt BlueKeep might surpass the impact of the WannaCry outbreak. At one point there were more than a million public IPs running RDP that were vulnerable to a BlueKeep attack, which should serve as a wake-up call for IT to tighten up lax RDP practices, Goettl said.
“People should just be a little bit more intelligent about how they’re using RDP. You are opening a gateway into your network,” Goettl said. “There are people who have public-facing RDP that’s not behind a VPN, doesn’t require authentication. There are about four or five things people can do to better secure RDP services, especially when they’re exposing it to public IPs, but they’re just not doing it.”