Posted: 22 Min ReadThreat Intelligence

Microsoft Patch Tuesday – November 2019

This month the vendor has patched 75 vulnerabilities, 14 of which are rated Critical.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the November 2019 releases can be found here:
https://portal.msrc.microsoft.com/en-us/security-guidance

 

This month's update covers vulnerabilities in:

  • Internet Explorer
  • Microsoft Edge
  • ChakraCore
  • Microsoft Office
  • Microsoft Windows
  • Microsoft Hyper-V
  • Graphics Device Interface
  • Jet Database Engine
  • Azure
  • Open Enclave SDK
  • Visual Studio
  • OpenType Font Driver
  • Microsoft Exchange

The following is a breakdown of the issues being addressed this month:

  1. Cumulative Security Update for Microsoft Browsers

    Scripting Engine Memory Corruption Vulnerability (CVE-2019-1426) MS Rating: Critical

    A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge (HTML-based). The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. Attackers can exploit this issue by enticing an unsuspecting user to view a specially crafted web page.

     

    Scripting Engine Memory Corruption Vulnerability (CVE-2019-1427) MS Rating: Critical

    A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge (HTML-based). The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. Attackers can exploit this issue by enticing an unsuspecting user to view a specially crafted web page.

     

    Scripting Engine Memory Corruption Vulnerability (CVE-2019-1428) MS Rating: Critical

    A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge (HTML-based). The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. Attackers can exploit this issue by enticing an unsuspecting user to view a specially crafted web page.

     

    Scripting Engine Memory Corruption Vulnerability (CVE-2019-1429) MS Rating: Critical

    A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. Attackers can exploit this issue by enticing an unsuspecting user to view a specially crafted web page.

     

    VBScript Remote Code Execution Vulnerability (CVE-2019-1390) MS Rating: Critical

    A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. Attackers can exploit this issue by enticing an unsuspecting user to view a specially crafted web page.

     

    Microsoft Edge Security Bypass Vulnerability (CVE-2019-1413) MS Rating: Important

    A security bypass vulnerability exists when Microsoft Edge improperly handles extension requests and fails to request host permission for all_urls. An attacker who successfully exploited this vulnerability could trick a browser into installing an extension without the user's consent.

     

  2. Cumulative Security Update for Microsoft Office

    Microsoft Office Security Bypass Vulnerability (CVE-2019-1442) MS Rating: Important

    A security bypass vulnerability exists when Microsoft Office does not validate URLs. An attacker could send a victim a specially crafted file, which could trick the victim into entering credentials.

     

    Microsoft SharePoint Information Disclosure Vulnerability (CVE-2019-1443) MS Rating: Important

    An information disclosure vulnerability exists in Microsoft SharePoint when an attacker uploads a specially crafted file to the SharePoint Server. An authenticated attacker who successfully exploited this vulnerability could potentially leverage SharePoint functionality to obtain SMB hashes.

     

    Microsoft Office Online Spoofing Vulnerability (CVE-2019-1445) MS Rating: Important

    A spoofing vulnerability exists when Office Online does not validate origin in cross-origin communications handlers correctly. An attacker could exploit the vulnerability by sending a specially crafted request to an affected site.

     

    Microsoft Excel Information Disclosure Vulnerability (CVE-2019-1446) MS Rating: Important

    An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory. An attacker who exploited the vulnerability could use the information to compromise the user's computer or data.

     

    Microsoft Office Online Spoofing Vulnerability (CVE-2019-1447) MS Rating: Important

    A spoofing vulnerability exists when Office Online does not validate origin in cross-origin communications handlers correctly. An attacker could exploit the vulnerability by sending a specially crafted request to an affected site.

     

    Microsoft Excel Remote Code Execution Vulnerability (CVE-2019-1448) MS Rating: Important

    A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.

     

    Microsoft Office ClickToRun Security Bypass Vulnerability (CVE-2019-1449) MS Rating: Important

    A security bypass vulnerability exists in the way that Office Click-to-Run (C2R) components handle a specially crafted file, which could lead to a standard user, any AppContainer sandbox, and Office LPAC Protected View to escalate privileges to SYSTEM. To exploit this bug, an attacker would have to run a specially crafted file.

     

    Microsoft Access Information Disclosure Vulnerability (CVE-2019-1402) MS Rating: Important

    An information disclosure vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system.

     

    Microsoft Office Excel Security Bypass Vulnerability (CVE-2019-1457) MS Rating: Important

    A security bypass vulnerability exists in Microsoft Office software by not enforcing macro settings on an Excel document. This issue by itself does not allow arbitrary code execution.

     

  3. Cumulative Security Update for Microsoft Windows Kernel

    Win32k Graphics Remote Code Execution Vulnerability (CVE-2019-1441) MS Rating: Critical

    A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited this vulnerability could take control of the affected system.

     

    Win32k Privilege Escalation Vulnerability (CVE-2019-1393) MS Rating: Important

    A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

     

    Win32k Privilege Escalation Vulnerability (CVE-2019-1394) MS Rating: Important

    A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

     

    Win32k Privilege Escalation Vulnerability (CVE-2019-1395) MS Rating: Important

    A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

     

    Win32k Privilege Escalation Vulnerability (CVE-2019-1396) MS Rating: Important

    A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

     

    Win32k Privilege Escalation Vulnerability (CVE-2019-1408) MS Rating: Important

    A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

     

    Win32k Privilege Escalation Vulnerability (CVE-2019-1434) MS Rating: Important

    A privilege escalation vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

     

    Win32k Information Disclosure Vulnerability (CVE-2019-1436) MS Rating: Important

    An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user's system.

     

    Win32k Information Disclosure Vulnerability (CVE-2019-1440) MS Rating: Important

    An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user's system.

     

    Windows Kernel Information Disclosure Vulnerability (CVE-2019-11135) MS Rating: Important

    An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system.

     

    Windows Kernel Privilege Escalation Vulnerability (CVE-2019-1392) MS Rating: Important

    A privilege escalation vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

     

  4. Cumulative Security Update for Microsoft Hyper-V

    Hyper-V Remote Code Execution Vulnerability (CVE-2019-0719) MS Rating: Critical

    A remote code execution vulnerability exists when Windows Hyper-V Network Switch on a host server fails to properly validate input from an authenticated user on a guest operating system.

     

    Hyper-V Remote Code Execution Vulnerability (CVE-2019-0721) MS Rating: Critical

    A remote code execution vulnerability exists when Windows Hyper-V Network Switch on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.

     

    Windows Hyper-V Remote Code Execution Vulnerability (CVE-2019-1389) MS Rating: Critical

    A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.

     

    Windows Hyper-V Remote Code Execution Vulnerability (CVE-2019-1397) MS Rating: Critical

    A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.

     

    Windows Hyper-V Remote Code Execution Vulnerability (CVE-2019-1398) MS Rating: Critical

    A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.

     

    Windows Hyper-V Denial of Service Vulnerability (CVE-2019-0712) MS Rating: Important

    A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash.

     

    Windows Hyper-V Denial of Service Vulnerability (CVE-2019-1309) MS Rating: Important

    A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash.

     

    Windows Hyper-V Denial of Service Vulnerability (CVE-2019-1310) MS Rating: Important

    A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash.

     

    Windows Hyper-V Denial of Service Vulnerability (CVE-2019-1399) MS Rating: Important

    A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate input from a privileged user on a guest operating system. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application that causes a host machine to crash.

     

  5. Security Update for Microsoft Graphics

    Windows Graphics Component Privilege Escalation Vulnerability (CVE-2019-1407) MS Rating: Important

    A privilege escalation vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context.

     

    Windows Graphics Component Privilege Escalation Vulnerability (CVE-2019-1433) MS Rating: Important

    A privilege escalation vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context.

     

    Windows Graphics Component Privilege Escalation Vulnerability (CVE-2019-1435) MS Rating: Important

    A privilege escalation vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context.

     

    Windows Graphics Component Privilege Escalation Vulnerability (CVE-2019-1437) MS Rating: Important

    A privilege escalation vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context.

     

    Windows Graphics Component Privilege Escalation Vulnerability (CVE-2019-1438) MS Rating: Important

    A privilege escalation vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context.

     

    Windows GDI Information Disclosure Vulnerability (CVE-2019-1439) MS Rating: Important

    An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user's system.

     

  6. Security Update for Microsoft Windows

    Microsoft Windows Media Foundation Remote Code Execution Vulnerability (CVE-2019-1430) MS Rating: Critical

    A remote code execution vulnerability exists when Windows Media Foundation improperly parses specially crafted QuickTime media files. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.

     

    Windows TCP/IP Information Disclosure Vulnerability (CVE-2019-1324) MS Rating: Important

    An information disclosure vulnerability exists when the Windows TCP/IP stack improperly handles IPv6 flowlabel filled in packets. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system.

     

    Windows Error Reporting Information Disclosure Vulnerability (CVE-2019-1374) MS Rating: Important

    An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system.

     

    Windows Data Sharing Service Privilege Escalation Vulnerability (CVE-2019-1379) MS Rating: Important

    A privilege escalation vulnerability exists when the Windows Data Sharing Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context.

     

    Microsoft splwow64 Privilege Escalation Vulnerability (CVE-2019-1380) MS Rating: Important

    A local Privilege Escalation Vulnerability exists in how 'splwow64.exe' handles certain calls. An attacker who successfully exploited the vulnerability could elevate privileges on an affected system from low-integrity to medium-integrity.

     

    Microsoft Windows Information Disclosure Vulnerability (CVE-2019-1381) MS Rating: Important

    An information disclosure vulnerability exists when the Windows Servicing Stack allows access to unprivileged file locations. An attacker who successfully exploited the vulnerability could potentially access unauthorized files.

     

    Microsoft ActiveX Installer Service Privilege Escalation Vulnerability (CVE-2019-1382) MS Rating: Important

    A privilege escalation vulnerability exists when ActiveX Installer service may allow access to files without proper authentication. An attacker who successfully exploited the vulnerability could potentially access unauthorized files.

     

    Windows Data Sharing Service Privilege Escalation Vulnerability (CVE-2019-1383) MS Rating: Important

    A privilege escalation vulnerability exists when the Windows Data Sharing Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context.

     

    Microsoft Windows Security Bypass Vulnerability (CVE-2019-1384) MS Rating: Important

    A security bypass vulnerability exists where a NETLOGON message is able to obtain the session key and sign messages. To exploit this vulnerability, an attacker could send a specially crafted authentication request.

     

    Windows Privilege Escalation Vulnerability (CVE-2019-1385) MS Rating: Important

    A privilege escalation vulnerability exists when the Windows AppX Deployment Extensions improperly performs privilege management, resulting in access to system files. To exploit this vulnerability, an authenticated attacker would need to run a specially crafted application to elevate privileges.

     

    Windows Certificate Dialog Privilege Escalation Vulnerability (CVE-2019-1388) MS Rating: Important

    A privilege escalation vulnerability exists in the Windows Certificate Dialog when it does not properly enforce user privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context.

     

    Windows Denial of Service Vulnerability (CVE-2019-1391) MS Rating: Important

    A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding.

     

    Windows UPnP Service Privilege Escalation Vulnerability (CVE-2019-1405) MS Rating: Important

    A privilege escalation vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly allows COM object creation. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges.

     

    Windows Remote Procedure Call Information Disclosure Vulnerability (CVE-2019-1409) MS Rating: Important

    An information disclosure vulnerability exists when the Windows Remote Procedure Call (RPC) runtime improperly initializes objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system.

     

    DirectWrite Information Disclosure Vulnerability (CVE-2019-1411) MS Rating: Important

    An information disclosure vulnerability exists when DirectWrite improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user's system.

     

    Windows Installer Privilege Escalation Vulnerability (CVE-2019-1415) MS Rating: Important

    A privilege escalation vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. To exploit the vulnerability, an attacker would require unprivileged execution on the victim system.

     

    Windows Subsystem for Linux Privilege Escalation Vulnerability (CVE-2019-1416) MS Rating: Important

    A privilege escalation vulnerability exists due to a race condition in Windows Subsystem for Linux. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.

     

    Windows Data Sharing Service Privilege Escalation Vulnerability (CVE-2019-1417) MS Rating: Important

    A privilege escalation vulnerability exists when the Windows Data Sharing Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context.

     

    Windows Modules Installer Service Information Disclosure Vulnerability (CVE-2019-1418) MS Rating: Important

    An information vulnerability exists when Windows Modules Installer Service improperly discloses file information. Successful exploitation of the vulnerability could allow the attacker to read the contents of a log file on disk.

     

    Windows Privilege Escalation Vulnerability (CVE-2019-1420) MS Rating: Important

    A privilege escalation vulnerability exists in the way that the 'dssvc.dll' handles file creation allowing for a file overwrite or creation in a secured location. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.

     

    Windows Privilege Escalation Vulnerability (CVE-2019-1422) MS Rating: Important

    A privilege escalation vulnerability exists in the way that the 'iphlpsvc.dll' handles file creation allowing for a file overwrite. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.

     

    Windows Privilege Escalation Vulnerability (CVE-2019-1423) MS Rating: Important

    A privilege escalation vulnerability exists in the way that the 'StartTileData.dll' handles file creation in protected locations. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.

     

    NetLogon Security Bypass Vulnerability (CVE-2019-1424) MS Rating: Important

    A security bypass vulnerability exists when Windows Netlogon improperly handles a secure communications channel. An attacker who successfully exploited the vulnerability could downgrade aspects of the connection allowing for further modification of the transmission.

     

    DirectWrite Information Disclosure Vulnerability (CVE-2019-1432) MS Rating: Important

    An information disclosure vulnerability exists when DirectWrite improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user's system.

     

    Windows User Profile Service Privilege Escalation Vulnerability (CVE-2019-1454) MS Rating: Important

    A privilege escalation vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles symlinks. An attacker who successfully exploited this vulnerability could delete files and folders in an elevated context.

     

    Windows Denial of Service Vulnerability (CVE-2018-12207) MS Rating: Important

    A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding.

     

  7. Security Update for Jet Database Engine

    Jet Database Engine Remote Code Execution Vulnerability (CVE-2019-1406) MS Rating: Important

    A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system.

     

  8. Security Update for Microsoft Exchange

    Microsoft Exchange Remote Code Execution Vulnerability (CVE-2019-1373) MS Rating: Critical

    A remote code execution vulnerability exists in Microsoft Exchange through the deserialization of metadata via PowerShell. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the logged in user.

     

  9. Security Update for Azure

    Azure Stack Spoofing Vulnerability (CVE-2019-1234) MS Rating: Important

    A spoofing vulnerability exists when Azure Stack fails to validate certain requests. An attacker who successfully exploited the vulnerability could make requests to internal Azure Stack resources.

     

  10. Security Update for Open Enclave SDK

    Open Enclave SDK Information Disclosure Vulnerability (CVE-2019-1370) MS Rating: Important

    An information disclosure vulnerability exists when affected Open Enclave SDK versions improperly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information stored in the Enclave.

     

  11. Security Update for Visual Studio

    Visual Studio Privilege Escalation Vulnerability (CVE-2019-1425) MS Rating: Important

    A privilege escalation vulnerability exists when Visual Studio fails to properly validate hardlinks while extracting archived files. An attacker who successfully exploited this vulnerability could overwrite arbitrary files in the security context of the local system.

     

  12. Security Update for OpenType Font Driver

    OpenType Font Parsing Remote Code Execution Vulnerability (CVE-2019-1419) MS Rating: Critical

    A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely.

     

    OpenType Font Driver Information Disclosure Vulnerability (CVE-2019-1412) MS Rating: Important

    An information disclosure vulnerability exists in Windows 'Adobe Type Manager Font Driver (ATMFD.dll)' when it fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could potentially read data that was not intended to be disclosed.

     

    OpenType Font Parsing Remote Code Execution Vulnerability (CVE-2019-1456) MS Rating: Important

    A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely.

     

More information is available on Symantec's free Security Center portal and to our customers through the DeepSight Threat Management System.

About the Author

Ratheesh PM

Sr Threat Analysis Engineer

Ratheesh is a member of Symantec's Cyber Security Services organization which provides round-the-clock monitoring and protection services against cyber attacks.