Microsoft December 2019 Patch Tuesday plugs Windows zero-day

The December 2019 Patch Tuesday fixes 36 vulnerabilities, of which seven are rated "Critical."

Windows 10 version 1909: Why this feature update should be a pleasant surprise

Microsoft has released today the December 2019 Patch Tuesday security updates. This month's updates include fixes for 36 vulnerabilities, including a zero-day in the Windows operating system that has been exploited in the wild.

"An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory," Microsoft said in a security advisory today.

"An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode," it added. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

Microsoft credited security researchers from Kaspersky Lab with discovering the zero-day, which it tracks as CVE-2019-1458.

Dustin Childs, a member of Trend Micro's Zero Day Initiative (ZDI), believes this Windows zero-day is connected to a zero-day that Google patched in Chrome at the end of October (namely CVE-2019-13720).

"[Kaspersky] reported a UAF in Chrome that was under active exploit," Childs said. "When that [Chrome] bug became public, there was speculation it was being paired with a Windows kernel bug to escape the sandbox.

"While it's not confirmed this patch is connected to those Chrome attacks, this is the type of bug one would use to perform a sandbox escape," he added.

According to Kaspersky, the Chrome zereo-day was being used by a hacker group called WizardOpium to lure users on malicious sites, where they'd use the Chrome zero-day to infect them with malware.

Following this article's publication, Kaspersky confirmed Childs' theory in a blog post that officially linked the two zero-days.

Other fixes

In total, Microsoft fixed 36 security bugs this month, of which only seven were rated critical. This is Microsoft's smallest Patch Tuesday update this year, and one of the lightest in the past three years.

Other important bugs patched this month that pose a serious risk of being used in malware campaigns or targeted attacks are CVE-2019-1468 (a remote code execution in the Win32k component) and CVE-2019-1471 (a remote code execution bug in the Windows Hyper-V virtualization toolkit).

Besides Windows, other products that received fixes include SQL Server, Visual Studio, Skype for Business, Microsoft Office, and Microsoft Office Services and Web Apps.

Additional useful Patch Tuesday information is below:

TagCVE IDCVE Title
Servicing Stack Updates ADV990001 Latest Servicing Stack Updates

ADV190026 Microsoft Guidance for cleaning up orphaned keys generated on vulnerable TPMs and used for Windows Hello for Business
End of Life Software CVE-2019-1489 Remote Desktop Protocol Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-1465 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-1468 Win32k Graphics Remote Code Execution Vulnerability
Microsoft Graphics Component CVE-2019-1466 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-1467 Windows GDI Information Disclosure Vulnerability
Microsoft Office CVE-2019-1400 Microsoft Access Information Disclosure Vulnerability
Microsoft Office CVE-2019-1464 Microsoft Excel Information Disclosure Vulnerability
Microsoft Office CVE-2019-1461 Microsoft Word Denial of Service Vulnerability
Microsoft Office CVE-2019-1462 Microsoft PowerPoint Remote Code Execution Vulnerability
Microsoft Office CVE-2019-1463 Microsoft Access Information Disclosure Vulnerability
Microsoft Scripting Engine CVE-2019-1485 VBScript Remote Code Execution Vulnerability
Microsoft Windows CVE-2019-1453 Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability
Microsoft Windows CVE-2019-1476 Windows Elevation of Privilege Vulnerability
Microsoft Windows CVE-2019-1477 Windows Printer Service Elevation of Privilege Vulnerability
Microsoft Windows CVE-2019-1474 Windows Kernel Information Disclosure Vulnerability
Microsoft Windows CVE-2019-1478 Windows COM Server Elevation of Privilege Vulnerability
Microsoft Windows CVE-2019-1483 Windows Elevation of Privilege Vulnerability
Microsoft Windows CVE-2019-1488 Microsoft Defender Security Feature Bypass Vulnerability
Open Source Software CVE-2019-1487 Microsoft Authentication Library for Android Information Disclosure Vulnerability
Skype for Business CVE-2019-1490 Skype for Business Server Spoofing Vulnerability
SQL Server CVE-2019-1332 Microsoft SQL Server Reporting Services XSS Vulnerability
Visual Studio CVE-2019-1350 Git for Visual Studio Remote Code Execution Vulnerability
Visual Studio CVE-2019-1349 Git for Visual Studio Remote Code Execution Vulnerability
Visual Studio CVE-2019-1486 Visual Studio Live Share Spoofing Vulnerability
Visual Studio CVE-2019-1387 Git for Visual Studio Remote Code Execution Vulnerability
Visual Studio CVE-2019-1354 Git for Visual Studio Remote Code Execution Vulnerability
Visual Studio CVE-2019-1351 Git for Visual Studio Tampering Vulnerability
Visual Studio CVE-2019-1352 Git for Visual Studio Remote Code Execution Vulnerability
Windows Hyper-V CVE-2019-1471 Windows Hyper-V Remote Code Execution Vulnerability
Windows Hyper-V CVE-2019-1470 Windows Hyper-V Information Disclosure Vulnerability
Windows Kernel CVE-2019-1472 Windows Kernel Information Disclosure Vulnerability
Windows Kernel CVE-2019-1458 Win32k Elevation of Privilege Vulnerability
Windows Kernel CVE-2019-1469 Win32k Information Disclosure Vulnerability
Windows Media Player CVE-2019-1480 Windows Media Player Information Disclosure Vulnerability
Windows Media Player CVE-2019-1481 Windows Media Player Information Disclosure Vulnerability
Windows OLE CVE-2019-1484 Windows OLE Remote Code Execution Vulnerability