Microsoft released a total of 36 patches for December’s Patch Tuesday. Decembers tend to have a relatively low number of patches, and the last Patch Tuesday of the 2010s was no different. Seven of the 36 patches were identified as Critical, 28 Important, and one Moderate. The vulnerabilities covered a wide variety of Microsoft products, including Windows, Internet Explorer, Office, Hyper-V Server, and SQL Server. None of the fixed vulnerabilities were disclosed to the public before patching, although one was under active attack at the time of the patch.
Here’s a more detailed look at the notable vulnerabilities that have been patched in December:
XSS vulnerability in SQL Server Report Manager
CVE-2019-1332 is a cross-site scripting (XSS) vulnerability in SQL Server Report Manager. If successfully abused, an attacker could steal web cookies, hijack web sessions. This vulnerability can also potentially allow unauthorized access to the affected computer.
Remote Desktop Protocol vulnerability
CVE-2019-1453, a denial of service vulnerability in Remote Desktop Protocol (RDP), is triggered when an attacker connects to the target system using RDP and sends specially crafted requests. Upon successful execution, an attacker could cause the RDP service on the target system to stop responding.
RCE vulnerability in PowerPoint
CVE-2019-1462 is an RCE vulnerability that can let an attacker run arbitrary code in the context of the current user. A current user logged on with administrative user rights can allow an attacker to take control of the affected system.
Windows component vulnerabilities
Several vulnerabilities were found in key Windows components, including two flaws in Hyper-V Server: CVE-2019-1471, a remote code execution (RCE) vulnerability, and CVE-2019-1470, an information disclosure vulnerability.
CVE-2019-1471 can be abused when an attacker runs a specially crafted application on a guest operating system (OS), which could allow arbitrary code execution on the affected system. Meanwhile, CVE-2019-1470 can allow an attacker to gain access to information on the Hyper-V host OS.
Trend Micro solutions
Users with affected installations are advised to prioritize the updates in order to avoid possible system exploitation through unpatched vulnerabilities. The Trend Micro™ Deep Security™ and Vulnerability Protection solutions also protect systems and users from threats targeting the vulnerabilities included in this month’s Patch Tuesday, updating or creating rules to address applicable vulnerabilities found. The following rules have been released to cover the appropriate vulnerabilities:
- 1010083-Microsoft Windows Jet Database Engine Remote Code Execution Vulnerability (CVE-2019-0617)
- 1010084-Microsoft Windows Jet Database Engine Multiple Remote Code Execution Vulnerabilities (Jan-2019)
- 1010085-Microsoft Internet Explorer VBScript Remote Code Execution Vulnerability (CVE-2019-1485)
- 1010086-Microsoft GDI+ Remote Code Execution Vulnerability (CVE-2019-0853)
- 1010087-Microsoft Windows Elevation of Privilege Vulnerability (CVE-2019-1458)
- 1010088-Microsoft Windows GDI Information Disclosure Vulnerability (CVE-2019-1439)
- 1010089-Microsoft Windows Graphics Multiple Remote Code Execution Vulnerabilities (Aug-2019)
- 1010090-Microsoft Windows DirectWrite Remote Code Execution Vulnerability (CVE-2019-1117 and CVE-2019-1118)
- 1010091-Microsoft Windows DirectWrite Remote Code Execution Vulnerability (CVE-2019-1119)
- 1010092-Microsoft Windows Common Log File System Driver Elevation Of Privilege Vulnerability (CVE-2019-0959)
- 1010093-Microsoft Windows Graphics Remote Code Execution Vulnerability (CVE-2019-1150)
- 1010102-Microsoft Windows Media Player Information Disclosure Vulnerability (CVE-2019-1480 and CVE-2019-1481)
- 1010103-Microsoft Windows Multiple Information Disclosure Vulnerabilities (Dec 2019)
- 1010105-Microsoft PowerPoint Remote Code Execution Vulnerability (CVE-2019-1462)
- 36787: HTTP: Microsoft Windows User-Mode Privilege Escalation Vulnerability
- 36779: HTTP: Microsoft Internet Explorer VBScript Filter Use-After-Free Vulnerability