The November 2019 Security Update Review

November is here and so are the latest security patches from Microsoft and Adobe. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.

Adobe Patches for November 2019

For November, Adobe released four patches addressing 11 CVEs in Adobe Animate CC, Illustrator CC, Bridge CC, and Media Encoder. Four of these CVEs came through the ZDI program. The Media Encoder patch includes a Critical-rated fix for an Out-of-bounds (OOB) bug that could allow code execution. The patch for Illustrator also includes two Critical-rated fixes for memory corruption vulnerabilities that could lead to code execution.

The updates for Bridge and Animate CC are both rated Important in severity. The Bridge update fixes two information disclosure bugs while the patch for Animate fixes a DLL hijacking bug that could lead to a local privilege escalation (LPE). None of these bugs are listed as publicly known or under active attack at the time of release.

Microsoft Patches for November 2019

This month, Microsoft released security patches for 74 CVEs and one new advisory covering Microsoft Windows, Internet Explorer (IE), Microsoft Edge (EdgeHTML-based), ChakraCore, Office and Office Services and Web Apps, Open Source Software, Exchange Server, and Visual Studio. A total of 15 of these CVEs were reported through the ZDI program. Of these 74 CVEs, 13 are rated Critical and 61 are rated Important in severity. The new advisory being disclosed today is listed as publicly known and one CVE is listed under active attack.

Let’s take a closer look at some of the more interesting patches for this month, starting with the bug currently being exploited:

-       CVE-2019-1429 – Scripting Engine Memory Corruption Vulnerability
Reported through the Google Threat Analysis Group, this patch for IE corrects a vulnerability in the way that the scripting engine handles objects in memory. This vague description for memory corruption means that an attacker can execute their code if an affected browser visits a malicious web page or opens a specially crafted Office document. That second vector means you need this patch even if you don’t use IE. Microsoft gives no information on the nature of the active attacks, but they are likely limited at this time. However, now that the patch is available for analysis, the attacks could definitely grow.

 -       ADV190024 – Microsoft Guidance for Vulnerability in Trusted Platform Module (TPM)
This advisory covers TPM chipsets that use the Elliptic Curve Digital Signature Algorithm (ECDSA). This NIST standard has been around for a while, but interestingly, no current Windows system uses this algorithm, but other software or services might. The bug exists in the TPM firmware and not the OS itself. There’s no Microsoft patch here. Instead, if your system is affected, you’ll need a TPM firmware update from your chip manufacturer, and you’ll also likely need to re-enroll in security services to fully remediate this vulnerability. I’m not sure how widely deployed these chips are, but the servicing will not be a simple task.

-       CVE-2019-1373 – Microsoft Exchange Remote Code Execution Vulnerability
Bugs in Exchange Server are always interesting on some level, and this one certainly doesn’t disappoint. The patch corrects a vulnerability in the deserialization of metadata via PowerShell. To exploit this, an attacker would need to convince a user to run cmdlets via PowerShell. While this may be an unlikely scenario, it only takes one user to compromise the server. If that user has administrative privileges, they could hand over complete control to the attacker.

-       CVE-2019-1388 – Windows Certificate Dialog Elevation of Privilege Vulnerability
This bug was reported through the ZDI program, and we all marveled at it when it was submitted. An attacker can elevate to a shell with NT Authority\SYSTEM privileges by abusing the User Access Control (UAC) feature. Microsoft has stated UAC is not a security boundary, but this vulnerability turns it into a security liability. There are several steps involved in the actual exploitation, but it stems from clicking “Show information about this publisher's certificate” at a UAC prompt. We’ll publish additional details along with a video demonstration of this bug in the near future.

Here’s the full list of CVEs released by Microsoft for November 2019.

Looking through the Critical-rated patches, the updates for Hyper-V stand out the most. Five separate code execution bugs receive patches this month, and each could allow a user on the guest OS to execute code on the underlying host OS. Any one of those bugs could have won $250,000 for someone at this year’s Pwn2Own Vancouver event. Let’s hope they save a few for next year. Another Critical patch corrects how Windows handles QuickTime media files. However, considering Apple ended support for QuickTime on Windows back in 2016, you should consider any QuickTime media file to be suspect.

The rest of the Critical-rated patches mainly involve an aspect of web browsing – either in the browser itself or one of the components used during browsing. Interestingly, CVE-2019-1441 is listed as Critical since viewing a specially crafted font could allow code execution. However, CVE-2019-1456 has a nearly identical description but is listed as Important. This is likely due to where the font is actually rendered on the target system. Fonts may be rendered in the kernel, which obviously could lead to more severe issues that rendering in a different subsystem.

Speaking of rendering, various graphics components receive quite a few updates this month. In total, 20 different patches touch some aspect of the graphics components in Windows. Most of these resolve Elevation of Privilege (EoP) vulnerabilities, but several info disclosure bugs get fixes, too. There are 17 patches for info disclosure bugs, which is actually more than the number of RCE patches this month.

Similar to last month, the Open Enclave SDK receives a patch to address an info disclosure bug. The Windows Subsystem for Linux receives a patch for an EoP vulnerability. Ten years ago, if you predicted Microsoft would release an open-source and a Linux-related patch in the same month, you would likely have been laughed at – but here we are.

You may notice a CVE from 2018 in this month’s release as well. This actually comes from Intel and is being shipped here by Microsoft the vulnerability in guest virtual machines. You’ll need to manually enable protections on the host. KB4530989 provides full details on the steps needed to ensure your Hyper-V host is protected from this bug.

This month’s release is rounded out by a handful of patches for Office and several patches for various Windows components. The most notable of these include an info disclosure bug in the TCP/IP stack due to improperly handled IPv6 flowlabels in packets. An attacker could get device information like resource ids, SAS tokens, user properties, and other sensitive information from an affected device. There’s also a security feature bypass in NetLogon that would allow a MITM to degrade certain aspects of the connection. It can’t be used on its own to take over a connection, but it could be used to further modify the transmission.

Finally, in addition to the previously mentioned TPM advisory, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows. No additional advisories were released this month.

Looking Ahead

The final patch Tuesday of 2019 falls on December 10, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!