Following the relatively light list from last month, November proved to be a much more eventful month for Microsoft users. The November Patch Tuesday holds more fixes with a total of 74 patches, 13 of which were classified as Critical patches for remote code execution (RCE) vulnerabilities. The remaining majority were rated as Important and included patches for Windows graphics components and Microsoft SharePoint, among others. This Patch Tuesday also coincides with the start of the rollout of the Windows 10 November 2019 Update, which is now available to users as an opt-in version via Windows Update.
Here are a few details on the fixed vulnerabilities for this month.
CVE-2019-0721, CVE-2019-1389, CVE-2019-1397, and CVE-2019-1398. A significant portion of the Critical vulnerabilities patched this month addressed flaws in Hyper-V, Microsoft’s virtualization software. The vulnerabilities exists in how Hyper-V fails to adequately validate input from a guest operating system. Hackers can use a special application on a guest operating system that could have the Hyper-V host operating system execute arbitrary code.
Microsoft Exchange patch
CVE-2019-1373. The Critical patches also included a fix for an RCE vulnerability in Microsoft Exchange, which manifests in the the deserialization of metadata through PowerShell. Using this vulnerability, a successful threat actor can run arbitrary code like a legitimate system user. To exploit this vulnerability, an attacker would need to run cmdlets via PowerShell.
CVE-2019-1443. Among the patches classified as Important was one for an information disclosure vulnerability in SharePoint. Using this vulnerability, a potential threat actor can upload a specifically crafted file to the SharePoint server that would allow him to obtain SMB hashes. The patch fixes how SharePoint checks file content, where the vulnerability exists.
Windows TCP/IP patch
CVE-2019-1324. Microsoft also patched a vulnerability in the Windows TCP/IP stack that improperly handles IPv6 packets. Threat actors who successfully exploit this vulnerability could acquire information they can use to more heavily compromise the system. An exploit of this vulnerability, involves sending a specially crafted IPv6 packets to the targeted Windows computer.
Windows graphics patches
CVE-2019-1439. Among the Important patches addressed an information disclosure vulnerability in Windows’ Graphics Device Interface (GDI), which is responsible for rendering graphical objects in output devices like monitors and printers. A threat actor could use social engineering techniques to have a user open a malicious document or visit an untrusted webpage that would allow them to exploit the vulnerability and steal sensitive information.
CVE-2019-1407 and CVE-2019-1433. Another two patches addressed elevation of privilege vulnerabilities in the Windows Graphics Component. The patches address the way graphics component handles objects in memory and prevents possible hackers from running processes in an elevated context.
Mac Macro patch
CVE-2019-1457. The November list also includes a notable fix to an earlier reported vulnerability in Microsoft Office for Mac. The flaw, which is in the option “Disable all macros without notification,” enables a certain macro format called XLM to run without any prompt, which could give potential threat actors an opening to run arbitrary code.
Trend Micro solutions
Users with affected installations are advised to prioritize the updates in order to defend against possible exploits through unpatched vulnerabilities. The Trend Micro™ Deep Security™ and Vulnerability Protection solutions also protect systems and users from threats targeting the vulnerabilities included in this month’s Patch Tuesday, updating or creating rules to address applicable vulnerabilities found. The following rules have been released to cover the appropriate vulnerabilities:
- 1010050-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2019-1429)
- 1010051-Microsoft Internet Explorer VBScript Remote Code Execution Vulnerability (CVE-2019-1390)
- 1010052-Microsoft Windows Imaging API Remote Code Execution Vulnerability (CVE-2019-1311)
- 1010053-Microsoft Jet Database Engine Remote Code Execution Vulnerability (CVE-2019-1358)
- 1010054-Microsoft Jet Database Engine Remote Code Execution Vulnerability (CVE-2019-1359)
We are working hard to continue to provide protection where possible. You can track of the latest released rules through the following advisory.