Microsoft has issued fixes for 36 CVEs for December 2019 Patch Tuesday across a range of products, with seven of them rated critical in severity – and one that is already being exploited in the wild as a zero-day bug. Microsoft scheduled security update this month is relatively light, and includes patches for Microsoft Windows, Internet Explorer, Microsoft Office and related apps, SQL Server, Visual Studio and Skype for Business. In all, December Patch Tuesday addressed seven bugs that are rated critical, 28 that are rated important, and one that rated moderate in severity.
Zero-Day Bug Exploited in the Wild
CVE-2019-1458 is an elevation-of-privilege vulnerability in Win32k, which has a live zero-day exploit circulating in the wild. The exploit allows attackers to gain higher privileges on the attacked machine and avoid protection mechanisms in the Google Chrome browser, researchers said. The vulnerability could be exploited to cause execution of arbitrary code in in kernel mode on the victim’s system. From there, the attacker could perform a variety of actions, such as creating a new account with full user rights, installing programs, and viewing, changing or deleting data.
Microsoft has addressed the vulnerability by correcting how Win32k handles objects in memory. The flaw is also similar to the CVE-2019-0859 bug reported in April, for which an exploit was developed and found being sold on underground markets.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street