Background
Microsoft has released security patches to address 36 vulnerabilities affecting its Operating System (OS) and other related products. The following vulnerabilities were rated critical and require immediate attention:
Zero-day vulnerability
Critical vulnerabilities
-
CVE-2019-1468 - This remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts.
-
CVE-2019-1349, CVE-2019-1350, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387- These remote code execution vulnerabilities exist when Git for Visual Studio improperly sanitizes input.
-
CVE-2019-1471 - This remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system.
-
ADV990001 - This is a list of the latest servicing stack updates for each operating system. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV990001
For the full list of security patches released by Microsoft, please visit https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2019-Dec
Affected Products
Microsoft’s release contains updates for the following:
Impact
Successful exploitation of these critical vulnerabilities can allow attackers to perform remote code execution and take control of the affected systems to perform malicious activities, including unauthorised installation of programs, creating rogue administrator accounts and the ability to view, change, or delete data.
Recommendation
Users and system administrators of affected products are strongly encouraged to install the security updates immediately.
References
https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2019-Dec
https://www.bleepingcomputer.com/news/microsoft/microsofts-december-2019-patch-tuesday-fixes-win32k-zero-day-36-flaws/
https://www.zdnet.com/article/microsoft-december-2019-patch-tuesday-plugs-windows-zero-day/