November Microsoft Security Bundle Addresses 75 Vulnerabilities
Microsoft on Tuesday announced the release of its November security updates.
Details are contained in the 83 pages of the Microsoft Security Update Guide, although outside security researchers offer perhaps more useful synopses. A count by Jon Munshaw of Cisco's Talos security blog estimated that the November bundle addresses 75 vulnerabilities in total. Of that number, 13 vulnerabilities are rated "Critical" to patch, while 62 vulnerabilities are deemed "Important."
The November bundle also includes one new security advisory describing a Critical vulnerability in Trusted Platform Module (TPM) chips using the Elliptic Curve Digital Signal Algorithm. Dustin Childs of Trend Micro's Zero Day Initiative blog explained that "no current Windows system uses this algorithm, but other software or services might." Microsoft isn't supplying a patch in this case, he added. Instead, affected TPM chips will need to get a firmware fix provided by the chip maker. However, updating TPM firmware is an involved process for IT pros, and "the servicing will not be a simple task," Childs noted.
Microsoft also updated its Servicing Stack Update (SSU) advisory (ADV990001) this month, listing patches for multiple Windows versions. They're patches for the patching system itself, and likely "will at some point become a pre-requisite for future updates on affected systems," according to Chris Goettl, director of product management for security at Ivanti, via e-mail. Ivanti's Patch Tuesday talk will take place on Nov. 13 (sign-up here).
SSU changes will get enforced by Microsoft after about a couple of months, Goettl estimated:
Microsoft usually releases the SSU at least a couple months before the changes will be fully in effect. The shortest we have observed an SSU release to being required for future updates has been two months. Maybe take a conservative approach this month and do some light testing and see what happens in December before going too crazy with your SSU rollout.
Of the 13 Critical vulnerabilities in the November patch bundle, just one, namely CVE-2019-1429, is known by Microsoft to have been exploited. CVE-2019-1429 is a possible remote code execution risk because of the way the Internet Explorer browser's scripting engine handles objects in memory. Microsoft's security bulletin warned that "an attacker could execute arbitrary code in the context of the current user" and could gain that user's access rights. An attack can occur if a user visits a particular Web site or accesses a "Microsoft Office document that hosts the IE rendering engine," Microsoft explained. Childs commented that "that second vector means you need this patch even if you don't use IE."
The Hyper-V hypervisor on Windows systems is getting patched for Critical remote code execution issues, including "CVE-2019-0721, CVE-2019-1389, CVE-2019-1397 and CVE-2019-1398." The vulnerabilities result from improper input validations, according to Munshaw.
"These bugs arise when Hyper-V on a host server improperly validates input from an authenticated user on a guest operating system," Munshaw wrote regarding the Hyper-V vulnerabilities. "An attacker can exploit these vulnerabilities by running a specially crafted application on a guest OS. This could allow a malicious user to escape the hypervisor or a sandbox."
Other Critical patches were highlighted by the researchers. Patches "CVE-2019-1426, CVE-2019-1427, CVE-2019-1428 and CVE-2019-1429" address remote code execution vulnerabilities in the Microsoft Scripting Engine in the Microsoft Edge browser, which can get exploited when visiting an attacker-controlled Web site. Microsoft also is patching a Critical VBScript remote code execution flaw (CVE-2019-1390) associated with the Internet Explorer browser or with opening an Office document.
On top of those patch highlights, Goettl noted that Windows 10 version 1803 has hit its end-of-life servicing for the "Home, Pro and Pro for Workstations editions" and is getting its last security patches, although the Enterprise and Education editions are still supported through Nov. 10, 2020.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.