Microsoft’s November 2019 Patch Tuesday contains updates for 74 CVEs, 13 of which are rated critical. This month’s release covers 16 remote code execution (RCE) vulnerabilities and 27 elevations of privilege (EoP) flaws across a variety of products. Additionally, Microsoft has patched an increased number of vulnerabilities in Hyper-V, a number of which was a denial of service (DoS) flaws. The following is a breakdown of the most important CVEs from this month’s release.
“This month’s Patch release contains updates for nearly 75 CVEs. One of the vulnerabilities, CVE-2019-1429, was first exploited in the wild as a zero-day and could enable an attacker to execute arbitrary code under the same privileges of the current user. If the user has administrative rights, an attacker would be able to perform a variety of actions, such as creating a new account with full user rights, installing programs, and viewing, changing or deleting data. An attacker would need to convince a user to visit a website containing the exploit code using Internet Explorer in order to exploit the flaw.” said Satnam Narang, Senior Research Engineer at Tenable. “CVE-2019-1457, which was publicly disclosed at the end of October, is a security feature bypass in Microsoft Office for Mac due to improper enforcement of macro settings in Excel documents. An attacker would need to create a specially crafted Excel document using the SYLK (SYmbolic LinK) file format and convince a user to open such a file using a vulnerable version of Microsoft Office for Mac. Successful exploitation would allow an attacker to execute arbitrary code on the victim’s system.”
As a reminder, Windows 7 support will be discontinued on January 14, 2020, so we strongly recommend reviewing what hosts remain and any action plans for migration. Plugin ID 11936 (OS Identification) can be useful for identifying hosts that are still running on Windows 7.