News

November Microsoft Security Bundle Addresses 75 Vulnerabilities

Microsoft on Tuesday announced the release of its November security updates.

Details are contained in the 83 pages of the Microsoft Security Update Guide, although outside security researchers offer perhaps more useful synopses. A count by Jon Munshaw of Cisco's Talos security blog estimated that the November bundle addresses 75 vulnerabilities in total. Of that number, 13 vulnerabilities are rated "Critical" to patch, while 62 vulnerabilities are deemed "Important."

Security Advisories
The November bundle also includes one new security advisory describing a Critical vulnerability in Trusted Platform Module (TPM) chips using the Elliptic Curve Digital Signal Algorithm. Dustin Childs of Trend Micro's Zero Day Initiative blog explained that "no current Windows system uses this algorithm, but other software or services might." Microsoft isn't supplying a patch in this case, he added. Instead, affected TPM chips will need to get a firmware fix provided by the chip maker. However, updating TPM firmware is an involved process for IT pros, and "the servicing will not be a simple task," Childs noted.  

Microsoft also updated its Servicing Stack Update (SSU) advisory (ADV990001) this month, listing patches for multiple Windows versions. They're patches for the patching system itself, and likely "will at some point become a pre-requisite for future updates on affected systems," according to Chris Goettl, director of product management for security at Ivanti, via e-mail. Ivanti's Patch Tuesday talk will take place on Nov. 13 (sign-up here).

SSU changes will get enforced by Microsoft after about a couple of months, Goettl estimated:

Microsoft usually releases the SSU at least a couple months before the changes will be fully in effect. The shortest we have observed an SSU release to being required for future updates has been two months. Maybe take a conservative approach this month and do some light testing and see what happens in December before going too crazy with your SSU rollout.

Critical Vulnerabilities
Of the 13 Critical vulnerabilities in the November patch bundle, just one, namely CVE-2019-1429, is known by Microsoft to have been exploited. CVE-2019-1429 is a possible remote code execution risk because of the way the Internet Explorer browser's scripting engine handles objects in memory. Microsoft's security bulletin warned that "an attacker could execute arbitrary code in the context of the current user" and could gain that user's access rights. An attack can occur if a user visits a particular Web site or accesses a "Microsoft Office document that hosts the IE rendering engine," Microsoft explained. Childs commented that "that second vector means you need this patch even if you don't use IE."

The Hyper-V hypervisor on Windows systems is getting patched for Critical remote code execution issues, including "CVE-2019-0721CVE-2019-1389CVE-2019-1397 and CVE-2019-1398." The vulnerabilities result from improper input validations, according to Munshaw.

"These bugs arise when Hyper-V on a host server improperly validates input from an authenticated user on a guest operating system," Munshaw wrote regarding the Hyper-V vulnerabilities. "An attacker can exploit these vulnerabilities by running a specially crafted application on a guest OS. This could allow a malicious user to escape the hypervisor or a sandbox."

Other Critical patches were highlighted by the researchers. Patches "CVE-2019-1426, CVE-2019-1427CVE-2019-1428 and CVE-2019-1429" address remote code execution vulnerabilities in the Microsoft Scripting Engine in the Microsoft Edge browser, which can get exploited when visiting an attacker-controlled Web site. Microsoft also is patching a Critical VBScript remote code execution flaw (CVE-2019-1390) associated with the Internet Explorer browser or with opening an Office document.

On top of those patch highlights, Goettl noted that Windows 10 version 1803 has hit its end-of-life servicing for the "Home, Pro and Pro for Workstations editions" and is getting its last security patches, although the Enterprise and Education editions are still supported through Nov. 10, 2020.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.

Featured

  • Old Stone Wall Graphic

    Microsoft Addressing 36 Vulnerabilities in December Security Patch Release

    Microsoft on Tuesday delivered its December bundle of security patches, which affect Windows, Internet Explorer, Office, Skype for Business, SQL Server and Visual Studio.

  • Microsoft Nudging Out Classic SharePoint Blogs

    So-called "classic" blogs used by SharePoint Online subscribers are on their way toward "retirement," according to Dec. 4 Microsoft Message Center post.

  • Datacenters in Space: OrbitsEdge Partners with HPE

    A Florida-based startup is partnering with Hewlett Packard Enterprise in a deal that gives new meaning to the "edge" in edge computing.

  • Windows 10 Hyper-V vs. Windows Server Hyper-V: Which Platform for Which Workloads?

    The differences between these two Hyper-V versions are pretty significant, depending on what you plan to use them for. Here's a quick rundown of each platform, from their features to licensing quirks to intended use cases.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.