Microsoft December 2019 Patch Tuesday

Published on 11 Dec 2019

Updated on 12 Feb 2020

Background

Microsoft has released security patches to address 36 vulnerabilities affecting its Operating System (OS) and other related products. The following vulnerabilities were rated critical and require immediate attention: 

Zero-day vulnerability

  • CVE-2019-1458 - This is an elevation of privilege vulnerability which exists in Windows when the Win32k component fails to properly handle objects in memory.

Critical vulnerabilities

  • CVE-2019-1468 - This remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. 

  • CVE-2019-1349, CVE-2019-1350,  CVE-2019-1352, CVE-2019-1354, CVE-2019-1387-  These remote code execution vulnerabilities exist when Git for Visual Studio improperly sanitizes input.  

  • CVE-2019-1471 - This remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. 

  • ADV990001 - This is a list of the latest servicing stack updates for each operating system. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV990001 

For the full list of security patches released by Microsoft, please visit https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2019-Dec

 

Affected Products

Microsoft’s release contains updates for the following: 

  • Microsoft Windows

  • Internet Explorer

  • Microsoft Office

  • Microsoft Office Services and Web Apps

  • SQL Server

  • Visual Studio

  • Skype for Business

 

Impact

Successful exploitation of these critical vulnerabilities can allow attackers to perform remote code execution and take control of the affected systems to perform malicious activities, including unauthorised installation of programs, creating rogue administrator accounts and the ability to view, change, or delete data. 

 

Recommendation

Users and system administrators of affected products are strongly encouraged to install the security updates immediately.

 

References

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2019-Dec
https://www.bleepingcomputer.com/news/microsoft/microsofts-december-2019-patch-tuesday-fixes-win32k-zero-day-36-flaws/

https://www.zdnet.com/article/microsoft-december-2019-patch-tuesday-plugs-windows-zero-day/