Microsoft's November 2019 Patch Tuesday arrives with a patch for an IE zero-day

Microsoft has released today the November 2019 Patch Tuesday security updates. This month's updates include a patch for a vulnerability in the Internet Explorer scripting engine that hackers have been seen exploiting in the wild.

Tracked as CVE-2019-1429, Microsoft says the IE bug can allow remote code execution due to "the way that the scripting engine handles objects in memory in Internet Explorer."

Furthermore, because the bug is in IE's scripting engine, this impacts more than just the Internet Explorer browser.

IE's scripting engine is also used inside Office Suite apps to display web content inside embeddable iframes. This means attackers can craft malicious Office documents and execute malicious code on a user's system if the user allows the display of rich content, such as web-based iframes.

The IE zero-day was spotted in active attacks by three different organizations: iDefense Labs, Resecurity, and Google (through its Project Zero and Threat Analysis Group) -- suggesting this is a pretty noisy attack, whatever the attack was.

The three entities who reported the bug have not yet disclosed any public details about the attacks where this zero-day was discovered.

Most Windows zero-days are usually discovered and weaponized by government-based hacking groups, but they eventually slowly make their way down the totem pole to financial crime-focused groups, then mundane spam operations, and later, automated exploit kits.

Users have between a few weeks and a few months to patch this IE zero-day until the bug is commoditized by the criminal underground and attacks spread and become more common.

Other fixes

But while the IE zero-day is the most urgent bug to fix, there is more to this month's Microsoft security updates. In total, this month's Patch Tuesday came with fixes for 74 bugs across nine Microsoft products/platforms.

Other notable fixes include a patch for Excel for Mac. This patch fixes an issue reported earlier this month, namely that Excel for Mac ignored the "Disable all macros" setting and still executed XLM-based macros scripts when users opened an Excel spreadsheet, opening users to a dangerous attack vector.

In addition, Microsoft also issued a special advisory for dealing with a mysterious vulnerability that exists in certain Trusted Platform Module (TPM) chipsets.

Tracked as CVE-2019-16863, details about this vulnerability are still secret, at the time of writing. We'll update this article once we learn more, but this looks like a serious issue that could be used to compromise TPMs -- dedicated microcontrollers (chips, cryptoprocessors) used to ensure hardware authenticity during a computer's boot-up process.

Additional useful Patch Tuesday information is below:

• Microsoft's official Security Update Guide portal lists all security updates in a filterable table.
• ZDNet also put together this page listing all security updates on one single page, in one place.
• Additional analysis of today's Patch Tuesday is also available from Cisco Talos, SANS ISC, Tenable, and Trend Micro.
• This month's Adobe security updates are detailed here.
• SAP security updates are detailed here.
• Intel security updates are also available. Plenty of important stuff fixed this month [1, 2, 3].
• The Android Security Bulletin for November 2019 is detailed here. Patches started rolling out to users' phones last week.

Security

8 habits of highly secure remote workers

How to find and remove spyware from your phone

The best VPN services: How do the top 5 compare?

How to find out if you are involved in a data breach -- and what to do next

• 8 habits of highly secure remote workers
• How to find and remove spyware from your phone
• The best VPN services: How do the top 5 compare?
• How to find out if you are involved in a data breach -- and what to do next